如何构建cms的用户权限
我正在创建一个自定义摄影 CMS 系统,需要实现用户身份验证和权限系统。业界创建此类模式的通常做法是什么?
基本上我需要有用户,并且用户可以是不同类型的。有些用户说只能创建画廊,其他用户只能编辑它们,或者只能编辑某些画廊等。那么应该如何构建。我正在使用 MySQL 数据库,并使用 PHP 来编写 CMS 代码。
我尝试在 Google 上查找,但只找到了解释如何为实际 MySQL 数据库创建用户的文章。我将感谢一篇文章的链接,该文章解释了应该如何完成此类工作。
先感谢您。
I am creating a custom photography CMS system and need to implement a user authentication and permissions system. What are the usual practices in the industry to go about creating such schema.
Basically I need to have users, and users can be of different type. Some users lets say can only create galleries, others can only edit them, or edit only certain galleries, etc. So how should this be structured. I am using MySQL database and I am using PHP to code the CMS.
I tried looking on Google however only found articles which explain how to create users for the actual MySQL database. I will appreciate a link to an article which explains how this sort of stuff should be done.
Thank you in advance.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
解决此问题有两种常见方法,都涉及将允许的操作分解为您可以命名的离散内容。 (删除帖子、创建画廊、升级代码、转储数据库、发射导弹、打开车库门。)为每一个提供位向量中的位图(如果您打算拥有少于 32 个权限,这是一个不错的选择)和紧凑的存储机制;如果您认为它会超过 32 个权限(典型整数的大小),那么可能是数据库中的一个表..)
因此,您可以直接将用户映射到权限(“我想授予 < code>gallery_create 到
sarnold”),或者您可以通过用户类别映射用户和权限(“我想将gallery_create授予的所有成员>art_curator类;然后我希望将用户sarnold从docent提升为art_curator”)。如果您直接将用户映射到权限,您可能会在几年后的部署中发现一堆奇怪的权限。如果将用户映射到类别,您可能会发现自己具有人为的用户类别,因为您信任某个特定的人拥有某种特权,但不信任其他特权。
找出解决这种映射的最佳方法仍然是一个悬而未决的问题。我写过关于不同类型的权限模型建模权限系统,可能是信息太多或太少,具体取决于您希望系统变得多么复杂。
如果您只想将权限存储在位图中(例如,Linux 内核对
CAP_SYS_ADMIN、CAP_DAC_OVERRIDE等的CAPABLE()实现)然后您可以使用非常简单的方法添加新权限:...
然后当您需要测试功能时:
并且宏
CAPABLE()可以如下所示:#define CAPABLE(user,cap) ( )->permissions & (cap))
(原谅 C,我只是不太了解 php;我被迫修复了太多 php 错误而不想自己学习它。)
( user 想要通过用户类将用户映射到权限,那么可能是三个表:
users表、groups或classes表和权限表。classes包含user_id和permission_id列。当您需要检查是否可以授予权限时,请选择用户的类别,然后选择该类别中的权限。 (自从我手写 SQL 以来也已经有很多年了;我确信单个查询可以给你是或否的答案,但我不确定它是否是多表连接或使用子查询,或者它是否对数据库进行两次查询会更容易:)希望这会有所帮助。
There are two common approaches to this problem, both involve breaking apart the allowable operations into something discrete that you can name. (Delete posts, create galleries, upgrade the code, dump the database, launch the missiles, open the garage door.) Give each one of these a bitmap in a bitvector (if you intend on having fewer than 32 permissions, this is a nice and compact storage mechanism; if you think it'll grow beyond 32 permissions, the size of a typical integer, then maybe a table in your database..)
So, you can either map users to permissions directly ("I want to grant
gallery_createtosarnold") or you can map users and permissions via classes of users ("I want to grantgallery_createto all members of theart_curatorclass; then I wish to promote usersarnoldfromdocenttoart_curator").If you map users to permissions directly, you may find a hodge-podge of strange permissions in deployment years later. If you map users to classes, you may find yourself with artificial classes of users because you trusted one specific person with a privilege, but not other privileges.
Figuring out the best way to address this mapping is still an open problem; I have written about different types of permission models Modelling a permissions system that may be too much or may be too little information, depending upon how complicated you would like your system to become.
If you would like to just store permissions in bitmaps (e.g., the Linux kernel's implementation of
CAPABLE()forCAP_SYS_ADMIN,CAP_DAC_OVERRIDE, and so forth) then you could add new privileges with something very simple:...
Then when you need to test the capabilities:
and the macro
CAPABLE()can look like:#define CAPABLE(user,cap) ((user)->permissions & (cap))
(Forgive the C, I just don't know php very well; I've been forced to fix far too many php bugs to want to learn it myself.)
If you want to map users to permissions through user classes, then it might be three tables: a
userstable, agroupsorclassestable, and apermissionstable.classeshas columns foruser_idandpermission_id. When you need to check if a permission can be granted, select the user's class, then select the permission in the class. (It's also been years since I've hand-written SQL; I'm sure a single query can give you a yes or no answer, but I'm not sure if it would be a multiple table join or using subqueries or if it would just be easier to make two queries to the database. :)Hope this helps.