What is wise priviledge system in CMS?

Perttu Pulkkinen wrote:

Content management system I'm working consists pages, categories, users (and
images). It is in the first place dircted to companies where 1-10 persons
are taking care of site content. I am thinking how should I set my
privilegde system:

1) use priviledge levels in a simple way: each normal admin is either
allowed just to make drafts for superadmins to accept or not. superadmins
can do anything.
* dbtable solution:
field like priv enum('superadmin', 'admin') in admins table

2) connect piviledge levels to categories also: certain adminLEVEL can write
only to those categories that superadmin allows him/her to (while he/she may
still make drafts to every category?)
* dbtable solution:
connector table levels_categories

3) connect every admin personally to certain categories
* dbtable solution: connector table admins_categories

I would say Use bit fields.

example.

define("SUPERADMIN", 1);
define("ADMIN", 2);

if ($userpermission & SUPERADMIN) {
//the user is a super user
}

etc...

Each user need a permission field too, with their right bit value stored
in it. That means each user can have many roles as well, because you can
just add all the bit values together and you have one permission int. In
the categories table you can add the bit field required for accessing
the category.

if ($categorypermission & $userpermission) {
//the user have access
}
Do you follow the idea ?

--
Henrik Hansen

If you want a really flexible privilege system then go for a database table
solution. I have outlined my ideas on this in a document at
http://www.tonymarston.co.uk/php-mys...s-control.html which
is based on my experiences of such systems over the past 20 years.

HTH.

--
Tony Marston

http://www.tonymarston.net

"Perttu Pulkkinen" <pe**************@co.jyu.fi> wrote in message
news:98************@read3.inet.fi...

Content management system I'm working consists pages, categories, users (and images). It is in the first place dircted to companies where 1-10 persons
are taking care of site content. I am thinking how should I set my
privilegde system:

1) use priviledge levels in a simple way: each normal admin is either
allowed just to make drafts for superadmins to accept or not. superadmins
can do anything.
* dbtable solution:
field like priv enum('superadmin', 'admin') in admins table

2) connect piviledge levels to categories also: certain adminLEVEL can write only to those categories that superadmin allows him/her to (while he/she may still make drafts to every category?)
* dbtable solution:
connector table levels_categories

3) connect every admin personally to certain categories
* dbtable solution: connector table admins_categories

"Henrik Hansen" <hh****@fsck.dk> kirjoitti viestissä news:apMKc.26086

I would say Use bit fields.
example.
define("SUPERADMIN", 1);
define("ADMIN", 2);
if ($userpermission & SUPERADMIN) {
//the user is a super user
}
etc...
Each user need a permission field too, with their right bit value stored
in it. That means each user can have many roles as well, because you can
just add all the bit values together and you have one permission int. In
the categories table you can add the bit field required for accessing
the category.
if ($categorypermission & $userpermission) {
//the user have access
}
Do you follow the idea ?
Henrik Hansen

I don't have much experience with binary thing other than simple boolean
values. Do you mean that in binary system somepriv = 1, otherpriv= 10 and
someotherpriv = 100 and then all possibilities for user's priv_field are 000
,001, 010, 011, 100, 110 and 111? Can you give more examples?

On Mon, 19 Jul 2004 10:06:02 GMT
"Perttu Pulkkinen" <pe**************@co.jyu.fi> wrote:

"Henrik Hansen" <hh****@fsck.dk> kirjoitti viestissä news:apMKc.26086

I would say Use bit fields.
example.
define("SUPERADMIN", 1);
define("ADMIN", 2);
if ($userpermission & SUPERADMIN) {
//the user is a super user
}
etc...
Each user need a permission field too, with their right bit value
stored in it. That means each user can have many roles as well,
because you can just add all the bit values together and you have
one permission int. In the categories table you can add the bit
field required for accessing the category.
if ($categorypermission & $userpermission) {
//the user have access
}
Do you follow the idea ?
Henrik Hansen

I don't have much experience with binary thing other than simple
boolean values. Do you mean that in binary system somepriv = 1,
otherpriv= 10 and someotherpriv = 100 and then all possibilities for
user's priv_field are 000,001, 010, 011, 100, 110 and 111? Can you
give more examples?

No, a bitwise priv system works this way.
Ex.:

// Map privileges
define("UBERADMIN", 1);
define("NEWS", 2);
define("ARTICLES" 4);
define("FORUM_MOD" 8);
/**
* The sums of these are always unique to the combination.
* Two different combinations of the above privileges
* cannot have the same value.
*/
// Let's pretend that $user has the $priv = 10.
// That is NEWS + FORUM_MOD (2 + 8).

// Then if you want to check if this user has the correct privs
// for an UBERADMIN action you simply do:
if ($priv & UBERADMIN) {
echo "$user has UBERADMIN privilege.";
} else {
echo "$user haven't got UBERADMIN privilege.";
}

You can then easily add more, just remember that numbers are counted as
^2, i.e. 1, 2, 4, 8, 16, 32, 64, 128 etc...
That way no two different combinations can ever be the same.
if ($priv & UBERADMIN)
then checks to see if the UBERADMIN bit is set in $priv.

(This bitwise deal, is actually quite simple, but complicated to
explain.)

Another quick example:
<?php
$privs = array("a" => 1, "b" => 2, "c" => 4, "d" => 8, "e" => 16);
$priv = 27;
foreach ($privs as $key => $val) {
if ($priv & $val) {
$user_priv[] = $key;
}
}

echo "Privileges: " . join(", ", $user_priv);
// Will output: Privileges: a, b, d, e
?>

Does it make more sense now?

Madsen

--
Anders K. Madsen --- http://lillesvin.linux.dk

"There are 10 types of people in the world.
Those who understand binary - and those who don't."

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFA+7mNlNHJe/JASHcRAkMrAJ9/wAGC/N8BxsehQcxsNlrmLbs3tACfe0ww
CAvlWuabuNBCQeCqR2Pgn9g=
=q/YI
-----END PGP SIGNATURE-----

Perttu Pulkkinen wrote:

"Henrik Hansen" <hh****@fsck.dk> kirjoitti viestissä news:apMKc.26086

I would say Use bit fields.
example.
define("SUPERADMIN", 1);
define("ADMIN", 2);
if ($userpermission & SUPERADMIN) {
//the user is a super user
}
etc...
Each user need a permission field too, with their right bit value stored
in it. That means each user can have many roles as well, because you can
just add all the bit values together and you have one permission int. In
the categories table you can add the bit field required for accessing
the category.
if ($categorypermission & $userpermission) {
//the user have access
}
Do you follow the idea ?
Henrik Hansen

I don't have much experience with binary thing other than simple boolean
values. Do you mean that in binary system somepriv = 1, otherpriv= 10 and
someotherpriv = 100 and then all possibilities for user's priv_field are 000
,001, 010, 011, 100, 110 and 111? Can you give more examples?

You need to know how to use bitwise operations
(http://www.php.net/manual/en/languag...rs.bitwise.php) when you
got to know them you see some good potentional in them.

& check if the bit is in both int's example:

$userpermission is 4 which means it contanins the bits 1 2 and 4 which
means if we do:

if (SUPERADMIN & $userpermission) {

}

it will go into the if because we defined SUPERADMIN to 1 in the other
reply. But lets say $userpermission was 0 meaning for example a normal
user, the above if block would fail because the bit 1 is not in 0.

I am not very good at explaining, but hope it helps.
more info:

http://www.web-max.ca/PHP/misc_5.php

Just ask away, I will try to answer the best I can :)

--
Henrik Hansen

"Perttu Pulkkinen" <pe**************@co.jyu.fi> wrote in message
news:e2**************@read3.inet.fi...

"Henrik Hansen" <hh****@fsck.dk> kirjoitti viestissä news:apMKc.26086

I would say Use bit fields.
example.
define("SUPERADMIN", 1);
define("ADMIN", 2);
if ($userpermission & SUPERADMIN) {
//the user is a super user
}
etc...
Each user need a permission field too, with their right bit value stored
in it. That means each user can have many roles as well, because you can
just add all the bit values together and you have one permission int. In
the categories table you can add the bit field required for accessing
the category.
if ($categorypermission & $userpermission) {
//the user have access
}
Do you follow the idea ?
Henrik Hansen
I don't have much experience with binary thing other than simple boolean
values. Do you mean that in binary system somepriv = 1, otherpriv= 10 and
someotherpriv = 100 and then all possibilities for user's priv_field are

000 ,001, 010, 011, 100, 110 and 111? Can you give more examples?

To answer your question, you do have the right idea!
The statement:
if($userpermissions & PERMISSION)
simply tests to see if the bits in PERMISSION are set (=binary 1) in
$userpermission.
To set the bits you can simply use decimal though, eg to set 011 you would
make it equal to 3.

Thanks for these advices! I also ask kindly to check the reply and new
questions I gave to Tony Marston to keep this thread compact.

Thanks for these advices! I also ask kindly to check the reply and new
questions I gave to Tony Marston in order to keep this thread compact.