常见 CMS 角色和访问级别
我目前正在编写一个 CMS,记得有人(可能就在这里)批评现有的 CMS 没有足够强大的用户权限系统。 我已经计划好了一个方法,但我觉得它已经陷入了通常的陷阱,即粒度太细,这使得理解和实现它对最终用户来说是一件可怕的事情。
我认为拥有一系列具有权限的默认用户角色将是这个问题的答案,所以我想我的问题是:
您希望在 CMS 中看到哪些默认角色以及与这些角色相关联的权限类型是什么?
提前致谢!
I am currently writing a CMS and remember someone (it might have been on here) criticise the existing CMS for not having a robust enough user permissions system. I've got a method planned out but it I feel it has fallen into the usual trap of being a bit too fine-grained which makes understanding and implementing it a horror for end users.
I think having a range of default user roles with permissions would be the answer to this, so I suppose my question is this:
What are the default roles you would like to see in a CMS and what sort of permissions would be associated with these?
Thanks in advance!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(9)
这是我在大多数项目中最终得到的“最佳实践”,并且对此感到非常满意:
1。 角色
说到角色,我建议具有很大的灵活性,即能够自由创建和定义用户帐户和组(“贡献者”、“经理”等角色不是硬编码的,而是放入可以根据应用程序更改的配置文件中)。 用户无法访问角色配置,但引擎本身应该不受硬编码角色的影响。
2. 权利
权利是指事情需要易于理解和实施。
我在使用和检查代码/API级别的非常细粒度的权限方面取得了非常好的经验:
但是用户从来没有见过那些。 对于他们来说,它们被分组为极少数的“右组”:
用户永远看不到“移动”右,而只看到“管理”权限组。
这样,您就可以在未来的代码中保留细粒度权限的全部权力 - 例如,您可以轻松适应诸如“实习生必须能够编辑页面,但不能编辑页面”之类的规则能够更改它们的标题,也不能删除它们”,为 CMS 添加了宝贵的资产。 对于最终用户来说,此功能仍然不可见,并且权限系统易于使用。
This is the "best practice" I have ended up with in most projects and am very happy with:
1. Roles
When it comes to roles, I recommend great flexibility, i.e. the ability to create and define user accounts and groups freely (roles like "contributor", "manager" etc. are not hard-coded, but put into a configuration file that can be changed per application). The role configuration is unaccessible to the user, but the engine itself should be free from hard-coded roles.
2. Rights
Rights is where things need to be easy to understand and implement.
I have made very good experiences working with, and checking against, very fine-grained rights on the code / API level:
but the user never sees those. For them, they are grouped into a very small number of "right groups":
The user never sees the "move" right, but only the "Administer" rights group.
That way, you retain the full power of fine-grained rights in your code for the future - you can, for example, easily accommodate for a rule like "interns must be able to edit pages, but not be able to change their titles, nor to delete them", adding a valuable asset to the CMS. For the end user, this functionality remains invisible, and the rights system easy to use.
我不久前问过这个问题并得到了以下答复。
I asked this question a little bit ago and got the following response.
您是否研究过 RBAC 等现有解决方案? 虽然这样的系统对于你想要破解的特定坚果来说很可能完全是过度杀伤力,但它至少有助于增强你走在正确轨道上的信心。
除此之外,我期望的一般角色如下:
管理员 - 系统的完全控制,可以查看日志(因为您应该记录所有更改 )等加上...
发布者 - 可以实时发布内容加上...
作者 - 可以创建内容
但是,这些角色如何在整个系统中应用是事情的关键变得棘手,因为特定用户可能对不同的内容区域/模块拥有不同的权限。
Have you researched existing solutions like RBAC? Whilst such a system would most likely be complete overkill for the particular nut you're trying to crack it would at least help to boost confidence that you're on the right track.
That aside, the general roles I'd expect would be along the lines of:
Administator - Total control of the system, can view logs (as you should be logging all changes), etc. plus...
Publisher - Can put content live plus...
Author - Can create content
However, how these roles are applied across the system is where things get tricky, as a specific user would presumably have different rights to different content areas/modules.
管理员 - 可以创建用户 + 下面所有
编辑 - 可以编辑其他人的帖子 + 下面所有
作者 - 可以写帖子,编辑自己的帖子
Administrator - can create users + all below
Editor - can edit posts of others + all below
Author - can write posts, edit own posts
创建者 - 负责创建和编辑内容。
编辑 - 负责调整内容消息
以及交付方式,包括翻译和
本土化。
发布者 - 负责发布内容
使用。
管理员 - 负责管理访问
对文件夹和文件的权限,通常已完成
通过为用户组或角色分配访问权限。
消费者、观众或访客-阅读或阅读的人
以其他方式吸收内容发布后或
共享。
Creator - responsible for creating and editing content.
Editor - responsible for tuning the content message
and the style of delivery, including translation and
localization.
Publisher - responsible for releasing the content for
use.
Administrator - responsible for managing access
permissions to folders and files, usually accomplished
by assigning access rights to user groups or roles.
Consumer, viewer or guest- the person who reads or
otherwise takes in content after it is published or
shared.
管理员:拥有所有权利的人
作者:对特定内容拥有所有权利的人(例如拥有博客的博客作者),还拥有以下权限:添加/邀请用户协作/查看内容
协作者:可以编辑/添加作者授予权限的内容,不能删除内容或邀请/添加更多协作者
查看者< /strong> :如果作者邀请查看内容,则可以查看内容
编辑 :可以批准/编辑所有类型的内容
期望高级用户/开发人员使用 CMS。 但对于新的 CMS 管理员来说,基本角色使系统更加可用。
Admin : The one with all the rights
Author : The one who has all rights to a specific content (like a blog author who owns the blog), also has the permissions to add/invite users to collaborate/view the content
Collaborator : The one who can edit/add content to which the author has given rights, cannot delete the content or invite/add more collaborators
Viewer : The one who can view the content if the author has invited to view
Editors : The one who can approve/edit all types of content
Having a fine grain control is not a bad idea if you expect advanced users/developers to use the CMS. But for novice CMS managers, the basic roles make the system much more usable.
我不一定会忽视您现在拥有的细粒度控制系统。 如果您有一个适应性强的产品,那么重点是通过提供简化的接口来隐藏复杂性(例如,使用外观模式或适配器模式)。 好处是您为用户提供了简化版本(像“管理员”这样的简单权限可以“删除”“帖子”),同时仍然保留细粒度的功能(如果您稍后需要它们)(例如,更复杂的权限处理是允许删除当该帖子是您自己在类别 X 中的帖子时发布的帖子)。 然后,您可以在某些地方提供简化版本的替代方案以满足该需求。
I wouldn't necessarily dismiss the fine grained control system you have now. If you have one that is adaptable focus on hiding away the complexity by providing a simplified interface (eg use the facade pattern or the adapter pattern). The benefits are that you provide users with the simplified version (simple permissions like 'admin' can 'delete' a 'post') while still retaining the fine grained features should you need them later (eg more complicated permission handling is to allow to delete posts when the post is your own post in category X). Then you can provide an alternative to the simplified version for that need in some places.
对于大多数应用程序,我认为对于 CMS 来说也是如此,我的客户通常更喜欢以权限为导向的方法。 事情是这样的:
为了让事情变得更好一点,您可以创建多个角色(编辑者;管理员)以使典型用户的创建更容易(通过在选择角色时预先填写表单)。
For most applications, so I think it'll be true for CMSs as well, my customers usually prefer a rights-oriented approach. Here is how it goes :
To make things a little better, you can create several roles (Editor; Administrator) to make typical users creation easier (by pre-filling the form when a role is chosen).
我有一个基于 Zend Framework 构建的自定义 CMS,它使用 Zend 的 ACL 来扩展一些基本角色(因此您可以专门拒绝其他用户的资源或允许其他人访问他们通常无法访问的资源)。 我的基本角色从 CMS 用户一直到网站“成员”,如下所示(我只使用一个用户表来存储我的所有身份验证)。
开发人员
编辑任何内容、编辑布局、设置、配置。 使用可以调用 shell 脚本并强制执行 cron 作业的特殊工具。
管理员
编辑任何内容、编辑布局、设置。
作者
编辑内容。
会员
可以查看登录屏幕、忘记密码和错误报告。
现在,Zend 有一个很好的 ACL 实现,因此您可以轻松扩展基本 ACL 类并添加从基本角色扩展的新角色。 因此,我可能会创建一个有权访问开发人员工具之一(例如清除或缓存管理)的“管理员”,或者锁定作者使其只能管理博客(而不是例如新闻)。
I have a custom CMS built on the Zend Framework that uses Zend's ACL to extends some basic roles (so you can deny resources specifically for additional users or allow others to access resources they normally couldn't). My basic roles go from CMS users all the way down to website "members" as follows (I just use one users table to store all my authentication).
Developer
Edit any content, edit layouts, settings, configuration. Use special tools that can call shell scripts and force cron jobs.
Admin
Edit any content, edit layouts, settings.
Author
Edit content.
Member
Can view the login screen, forgot password and bug report.
Now, Zend has a nice ACL implementation so you can easily extends your base ACL class and add new roles that extend from the basic roles. So I might make an "Admin" who has access to one of the Developer tools (e.g. purge or cache management) or lock an author to only be able to manage blogs (and not for example news).