I am part of a team creating a web application using PHP and MySQL. The application will have multiple users with different roles. The application will also be used in a geographically distributed manner. Accordingly we need to create an access control system that operates at the following two levels:
- Controls user permissions for specific php pages i.e. provides or denies access to specific pages (or user interface elements) based on the user's role. For example: a user may be allowed access to the "Students" page but not to the "Teachers" page.
- Controls user permissions for specific database records i.e. modifies database queries so that only specific records are displayed. For example, for a user at the city level, only those records should be displayed that relate to the user's particular city, while for a user at the national level, records for ALL CITIES in the country should be displayed.
I need help on designing a system that can handle both these types of access control. Point no. 1 seems to be simple enough. However, I am completely at a loss on how to do point number 2 without hardcoding the information in the SQL queries.
Any help would be appreciated.
Thanks in advance
Vinayak
I was in similar situation few months ago. I found that tools like Zend_ACL work great if you just check access level to single item (or reasonably low number of them). It fails when you need to get a huge list of items the user is allowed to access. I crafted custom solution to this problem using Business Delegate pattern. BD provides business logic that can be applied in specific context. In this scenario a SQL logic was delivered and used as filtering condition in subselect. See the following diagrams:
(source: epsi.pl)
And sequence diagram that illustrates calls order:
(source: epsi.pl)
I blogged about this solution, unfortunately it's all in Polish, but you may find pieces of code and diagrams handy. What I can say, the implementation is not a piece of cake, but performance-wise it's a champion when compared to iterative access checking for each element on the list. Moreover, the infrastructure above handles not only one type of items on the list. It can serve when accessing different lists, be it list of cities, countries, products, or documents as long as items on the list implement IAuthorizable interface.
It seems to me like what you need is this: (I'll use a country/state/city example)
- A list of all countries. Each "country" has an ID.
- A list of all States within countries. Each state is bound to the ID of the coutnry, but also has its own unique ID.
- A list of all cities. Each city is bound to either a state, or directly to a country, and has a flag to indicate which.
For a city user, obviously search for and display only those records pertaining to the city that matches their ID. For a state or national level though, search for all records pertaining to each city that has an ID matching that nation (or state or what have you).
So basically, each sub group is dependant on the group above it, and although I don't recall correctly, I believe you can use sub queries to do the trick from there.
If you don't know how to do this I would use a php framework like Zend Framework, CakePHP, or Symphony. They have done the heavy lifting for you and have some type of access control scheme already in place.
I have similar solution to build and so far I've decided to use specifications and roles, so in fact one role would have some privilege specifications attached. If they all are satisfied, the permission is granted, otherwise - it falls back to the resource default access.
I was looking over to find someone already implementing the solution, but it seems no one did. Let's hope it won't be a fail :)
来源:https://stackoverflow.com/questions/228672/php-access-control-system