 |
 |
 |
 |
|
|
Date: 07/24/01
- Next message: Peter Holm: "RE: [phplib] stricting methods (was: [RFC] Future of phplib)"
- Previous message: Björn Schotte: "Re: [phplib] [RFC] Future of phplib"
- Next in thread: giancarlo pinerolo: "Re: [phplib] Kristian's Perms"
- Reply: giancarlo pinerolo: "Re: [phplib] Kristian's Perms"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I easily applied this permission system (see below) to my existing PHPLib
application by replacing the
$HTTP_SESSION_VARS["login"]["perm"][$db->f("permission")] = "yes";
lines (located in the handle_login function) with
$this->auth["perm"][$this->db->f("permission")] = "yes";
I also had to change the corresponding perm checking functions, but this was
equally straight forward. This system does add a little complexity to the
table structure, but it is going to work much better for me than the
exisiting PHPLib permissioning scheme.
-----Original Message-----
From: kris <email protected> [mailto:kris <email protected>]
Sent: Sunday, July 22, 2001 2:16 PM
To: phplib <email protected>
Subject: Re: [phplib] [RFC] Future of phplib
In netuse.lists.phplib you write:
>because you use atomic permission scheme, and make every 'level' work as
>a group.
In fact permissions, and groups, should be kept in a database. The schema
used by PHPLIB at the moment sucks.
Define users, groups and permissions as tables:
#
# Table structure for table 'c_user'
#
CREATE TABLE c_user (
uid int(11) NOT NULL default '0',
login varchar(80) NOT NULL default '',
pass varchar(80) binary NOT NULL default '',
realname varchar(80) NOT NULL default '',
changed timestamp(14) NOT NULL,
PRIMARY KEY (uid),
UNIQUE KEY login (login)
) TYPE=MyISAM;
#
# Table structure for table 'c_group'
#
CREATE TABLE c_group (
gid int(11) NOT NULL default '0',
name varchar(80) NOT NULL default '',
changed timestamp(14) NOT NULL,
PRIMARY KEY (gid),
UNIQUE KEY name (name)
) TYPE=MyISAM;
#
# Table structure for table 'c_permission'
#
CREATE TABLE c_permission (
pid int(11) NOT NULL default '0',
name varchar(80) NOT NULL default '',
changed timestamp(14) NOT NULL,
PRIMARY KEY (pid),
UNIQUE KEY name (name)
) TYPE=MyISAM;
Define a relationship between users and groups, the membership
relation:
#
# Table structure for table 'u_g_rel'
#
CREATE TABLE u_g_rel (
uid int(11) NOT NULL default '0',
gid int(11) NOT NULL default '0',
changed timestamp(14) NOT NULL,
PRIMARY KEY (uid,gid),
KEY gid (gid)
) TYPE=MyISAM;
Assign permissions to groups, and permissions to users directly:
#
# Table structure for table 'g_p_rel'
#
CREATE TABLE g_p_rel (
gid int(11) NOT NULL default '0',
pid int(11) NOT NULL default '0',
changed timestamp(14) NOT NULL,
PRIMARY KEY (gid,pid),
KEY pid (pid)
) TYPE=MyISAM;
#
# Table structure for table 'u_p_rel'
#
CREATE TABLE u_p_rel (
uid int(11) NOT NULL default '0',
pid int(11) NOT NULL default '0',
changed timestamp(14) NOT NULL,
PRIMARY KEY (uid,pid),
KEY pid (pid)
) TYPE=MyISAM;
On login, read the permissions assigned to a user and to the
users groups, and make them part of the users session:
function handle_login() {
global $HTTP_POST_VARS;
global $HTTP_SESSION_VARS;
if (isset($HTTP_POST_VARS["login"])) {
# Check that the form was filled in
if (!isset($HTTP_POST_VARS["user"])
or !isset($HTTP_POST_VARS["pass"]))
return;
$user = $HTTP_POST_VARS["user"];
$pass = $HTTP_POST_VARS["pass"];
# Check username and password for validity
$query = sprintf("select c_user.login as login,
c_user.realname as realname
from c_user
where c_user.login = '%s' and c_user.pass =
'%s'",
$user,
$pass
);
$db = new DB_Passwd($query);
if (!$db->next_record())
return false;
# Create the required variables in Session
$HTTP_SESSION_VARS["login"]["user"] = $user;
$HTTP_SESSION_VARS["login"]["exp"] = time() +
AUTOLOGOUT_TIME;
$HTTP_SESSION_VARS["login"]["realname"] = $db->f("realname");
# Permissions by group membership are being read
$query = sprintf("select c_permission.name as permission
from c_user,
u_g_rel,
c_group,
g_p_rel,
c_permission
where c_user.uid = u_g_rel.uid
and u_g_rel.gid = c_group.gid
and c_group.gid = g_p_rel.gid
and g_p_rel.pid = c_permission.pid
and c_user.login = '%s'",
$user
);
$db->query($query);
while ($db->next_record()) {
$HTTP_SESSION_VARS["login"]["perm"][$db->f("permission")] =
"yes";
}
# Permissions attached to username are being read
$query = sprintf("select c_permission.name as permission
from c_user,
u_p_rel,
c_permission
where c_user.uid = u_p_rel.uid
and u_p_rel.pid = c_permission.pid
and c_user.login = '%s'",
$user
);
$db->query($query);
while ($db->next_record()) {
$HTTP_SESSION_VARS["login"]["perm"][$db->f("permission")]
="yes";
}
}
This is how you do Auth and Perm properly, the login part.
Now you must check for Permissions on some pages:
function perm_have() {
global $HTTP_SESSION_VARS;
$args = func_get_args();
for ($i=0; $i<count($args); $i++) {
if (!isset($HTTP_SESSION_VARS["login"]["perm"][$args[$i]]))
return false;
}
return true;
}
function perm_have_any() {
global $HTTP_SESSION_VARS;
$args = func_get_args();
for ($i=0; $i<count($args); $i++) {
if (isset($HTTP_SESSION_VARS["login"]["perm"][$args[$i]]))
return true;
}
return false;
}
Both functions take any number of arguments. The first is true,
if a user has all of the named permissions, the second is true if
the user has at least one of the named permissions.
The following two functions come in handy when dealing with
permissions:
function perm_options($o = "", $class = "") {
$db = new $class("select pid, name from c_permission order by name");
while($db->next_record()) {
echo ' <option value="', $db->f("pid"), '"';
if (is_array($o) and isset($o[$db->f("name")])) {
echo ' selected';
}
echo '>', $db->f("name");
echo '</option>', "\n";
}
}
function perm_list() {
global $HTTP_SESSION_VARS;
if (is_array($HTTP_SESSION_VARS["login"]["perm"]))
return array_keys($HTTP_SESSION_VARS["login"]["perm"]);
else
return array();
}
All code is PHP4 only, and requires register_globals set to Off,
as should be standard in all installations anyway (unless you
want to lose your installation to some script kiddie fast).
Kristian
-- http://www.amazon.de/exec/obidos/wishlist/18E5SVQ5HJZXG "bow down before the one you serve. you're going to get what you deserve." -- Trent Reznor (Sysadmin?)-- Abbestellen mit Mail an: phplib-unsubscribe <email protected> Kommandoliste mit Mail an: phplib-help <email protected>
-- Abbestellen mit Mail an: phplib-unsubscribe <email protected> Kommandoliste mit Mail an: phplib-help <email protected>
- Next message: Peter Holm: "RE: [phplib] stricting methods (was: [RFC] Future of phplib)"
- Previous message: Björn Schotte: "Re: [phplib] [RFC] Future of phplib"
- Next in thread: giancarlo pinerolo: "Re: [phplib] Kristian's Perms"
- Reply: giancarlo pinerolo: "Re: [phplib] Kristian's Perms"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]