PHP:如何检查给定组的成员是否允许更改模型
在我正在开发的应用程序中,每个用户可以属于一个或多个组,例如“访客”、“成员”、“管理员”等。
当用户应用更改模型的操作时,例如注册帐户、编辑某人的帖子等等,我需要验证用户是否可以这样做。
反过来,操作可以有一个被允许执行它的所有者(或主体)。例如,注册登录操作主体为guest
,注销主体为member
(即登录会员),编辑后操作主体为owner
。
现在我按照 Apache 允许、拒绝规则执行此操作: - 每个方法都有一个允许使用它的用户角色列表 - 每个角色都有 3 个属性:
order
(“允许,拒绝”或“拒绝,允许”)
允许
- 包含主题角色列表(可以是不同的)来自当前用户),例如所有者、访客、成员、管理员等,允许使用它
deny
- 与上面相同,但不允许使用它的主体角色
Function isAllowed
具有以下逻辑:
获取当前用户和主题的组。
如果当前用户 ID = 主题用户 ID,则会将“所有者”添加到当前用户和主题的组中。
如果方法的用户角色中没有列出当前用户的组,则函数返回 false。
Else 函数继续检查主题的组是否在允许或拒绝列表中,并应用顺序(允许/拒绝)逻辑。
如果有超过 1 个结果(例如主题用户既是会员又是管理员),我会应用从属逻辑(其中每个角色都有一个重要的数值,因此我可以知道作为管理员是比作为普通会员更重要的职位)并选择最重要角色的结果(允许或拒绝)。
这有道理吗?我应该改变什么?
In the app that I'm working on each user can belong to one or more of the groups, e.g. 'guest', 'member', 'admin' etc.
When user applies action that changes model, e.g. registering account, editing someone's post, etc, I need to verify if user is allowed to do this.
Actions in turn can have an owner (or subject) who is allowed to execute it. For example, registration and login actions subject is guest
, logout subject is member
(meaning logged-in member), editing post action subject is owner
.
Right now I do it a la Apache allow,deny rules:
- each method has a list of user roles that are allowed to use it
- each of these roles has 3 attributes:
order
("allow,deny" or "deny,allow")
allow
- with list of roles of subject (who can be different from current user), e.g. owner, guest, member, admin, etc, who are allowed to use it
deny
- same as above, but subject roles who are not allowed to use it
Function isAllowed
has this logic:
Gets groups of current user and subject.
If current user ID = subject user ID, it adds 'owner' to groups of both current user and subject.
If none of current user's groups listed in method's user roles, function returns false.
Else function goes on to check if subject's groups are in allow or deny lists and applies order (allow/deny) logic.
If there's more than 1 result (e.g. subject user is both member and admin), I apply subordination logic (where each role has a numeric value of importance, so I can know that being admin is a more important position that being a regular member) and pick result (allow or deny) for the most important role.
Does this make sense? What should I change?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我会将用户组加载到他们的会话中。然后,当您到达需要特定组权限的函数时,对会话变量执行 if 操作以查看它是否匹配。
请参阅:http://php.net/manual/en/ref.session.php
I would load the users' group into their session. Then when you get to a function that requires a certain group permission, do an if on the session variable to see if it matches.
See: http://php.net/manual/en/ref.session.php