如何实现论坛权限
我已经开始在 MVC 框架上用 PHP 开发论坛应用程序,并且已经到了向成员分配权限的阶段(例如:读取、写入、更新、删除)。
现在,我知道我可以在数据库的用户表下添加 5 列并将它们设置为 1 | 0,但如果我想添加其他规则(例如 MOVE),这对我来说似乎太多了。
我如何动态地将这些权限单独分配给用户?
我听说过使用位掩码,但如果我在继续之前能够完全理解它们,那就太好了。
你有一个我如何实现这个的例子吗?
I've started developing a forum application in PHP on my MVC Framework and I've got to the stage where I assign permissions to members (for example: READ, WRITE, UPDATE, DELETE).
Now, I know I can add 5 columns under the user table in my database and set them to 1 | 0, but that to me seems like too much if I want to add other rules, like MOVE for example.
And how can I dynamically assign these privileges them to users individually?
I've heard of using a bitmasks, but it would be really good if I could fully understand them before I continue.
Do you have an example of how I might implement this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
当权限位掩码表示为二进制时,最好理解,每个数字代表权限的打开或关闭。因此,如果权限 X、Y 和 Z 存在,并且我只能访问 X 和 Z,则
101将表示我拥有授予我的第一个和第三个权限,但没有第二个权限。二进制数101相当于十进制数5,因此这就是最终存储在数据库中的内容。单个小整数是比字符串或几个小整数更有效的存储对象。编辑:我意识到利用现有的转换函数来快速实现是多么容易。这是一个示例。
如果使用循环,而不是在字符串之间拉回或拉出,您可能会获得更好的性能,但这非常清楚地说明了原理。
A permissions bitmask is best understood when represented as binary, with each digit representing a permission being on or off. So if permissions X, Y, and Z exist, and I only have access to X and Z,
101would represent that I have the first and third permissions granted to me, but not the second. The binary number101is equivalent to the decimal number5, so that is what would end up stored in the database. A single, small integer is a much more efficient object to store than a string or several small integers.EDIT: I realized just how easy it was to leverage existing conversion functions to get a pretty quick implementation going. Here's a sample.
You might get better performance if you use loops, rather than pulling back to and from strings, but this illustrates the principle pretty clearly.
您描述的方法(存储在列中的个人权限)很简单,但牺牲了灵活性(正如您所注意到的)。
Zuul 的方法更加简单,本质上与您的方法相同,只是它避免了任何“ALTER TABLE”语句的需要。然而,它没有标准化,不容易查询,也不是自记录的。
这两种方法的另一个问题是,随着用户群的增长,您会发现正确设置每个人的权限越来越困难。您会发现自己有很多需要完全相同权限的用户。然而,为了更改用户的权限,例如适应新的权限,您必须进入该权限并将该权限添加给每个需要该权限的用户。主要 PITA。
对于论坛,您不太可能需要每用户权限管理。您更有可能拥有某些类别的用户,例如匿名用户、登录用户、版主、管理员等。这将使其非常适合基于角色的访问控制 (RBAC)。在此系统中,您将为每个用户分配一个角色,并向该角色授予权限。权限将作为行存储在“权限”表中。因此简化的数据库模式如下所示:
此模式用于许多处理用户权限的应用程序中。将任何人可能拥有的每个权限添加为权限表中的一行;在角色表中添加任何用户可能拥有的每个角色;并在 role_privilege_join 表中适当链接它们。
唯一真正的缺点是,由于使用了连接表,因此“用户 X 可以执行 Y”查询会稍微慢一些。
The method you described -- individual privileges stored in columns -- is straightforward at the expense of flexibility (as you noticed).
Zuul's method is even more simple and essentially the same as yours, except it avoids the need for any "ALTER TABLE" statements. However, it is not normalized, not easily queryable and not self-documenting.
Another problem with both of these methods is that as your user base grows, you will find it increasingly more of a pain to keep everybody's privileges set properly. You will find yourself with a lot of users who need exactly the same privileges. Yet in order to change a user's privileges, such as to accomodate a new privilege, you will have to go in and add that privilege to each user who needs it individually. Major PITA.
For a forum, it's not likely that you'll need per-user privilege management. More likely you'll have certain classes of users like anonymous users, logged-in users, moderators, administrators, etc. This would make it well-suited for role-based access control (RBAC). In this system you would assign each user to a role, and grant privileges to the role. Privileges would be stored as rows in a "privilege" table. so the simplified database schema would look like:
This pattern is used in many applications that deal with user privileges. Add every privilege that anyone could possibly have as a row in the privilege table; add every role that any user could possibly have in the role table; and link them appropriately in the role_privilege_join table.
The only real disadvantage is that because a join table is used, the "can user X do Y" query is going to be somewhat slower.
我会创建一个名为“角色”的表:
在其中粘贴您想要的任何权限。然后创建一个名为“UserRoles”的表来将用户链接到角色:具有
很大的灵活性并且易于构建(即工作流程、规则等)
(我也会添加外键)
I would create a Table called "Roles":
Stick whatever permissions you want in there. Then create a Table called "UserRoles" to link users to roles:
Lots of flexibility and easy to build upon (ie workflow, rules, etc)
(I would add foreign keys as well)
您不需要使之复杂化,只需使用字段“ex:权限”并执行以下操作:
然后,在检查时,只需使用“;”的“explode”...
这样,您始终可以在不更改表的情况下应用更多权限类型...因此您可以使表更小,查询速度更快!
这是解决您问题的方法:)
You don't need to complicate that, just use a field "ex: permissions" and do something like:
then, when checking, just use "explode" by ";"...
This way, you can always apply more permissions types without changing your table... thus you get your table smaller, and your query faster!
It's an workaround for your problem :)