Re: Question about user management...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Mar 11, 2008 at 10:42 AM, Philip Thompson
<philthathril@xxxxxxxxx> wrote:
>  I do understand the security aspect though. It's like a password that
>  changes quite frequently - it would be, for all intensive purposes,
>  impossible to guess.

    Very similar, yes.  You've got the idea.

>  Oh, I have an idea! Let's say your users are defined this way in the
>  database:
>
>  user_level: ADMIN, GENERAL_USER, LEVEL_ONE_USER, etc...
>
>  Then run your comparison, e.g.:
>
>  if (defined ($user['user_level'])) { ... }
>
>  Maybe Tedd or Dan need to slap some sense into me, but that's one way
>  I *think* you could implement it. =/

    You certainly can do that, but the problem is, if it doesn't come
down to numbers (lower-means-higher[1]), then you're defining a single
set of privileges per level.  This means that each escalated privilege
level would either have to be associated with an array of either
permissible access codes, or (more overhead) would require an array of
all levels defined.  Then, when you add a new level, it would have to
be explicitly defined or otherwise become a child of a parent level,
using inheritance.

    [1] Using the integer method, this can be avoided.  If you're
number is 0, you're the equivalent of root on *NIX.  You are God in
the eyes of the system.  You can do anything at all.  Now, say your
number is 10.  You inherit the privilege set of users >=10, but NOT
root-level privileges.  Your guest users may then have a code 99,
which may be your highest number.  This means they have no privileged
access, only general browsing.

    Keep in mind, especially, that you don't have to limit yourself to
INT in the database.  You could - and probably should - use a
FLOAT(2,2) field instead.  This means you can have up to (100^2) - 1
specific levels that will inherit privileges from numbers higher than
the user level.  Counting 0-99.99 gives 10,000 combinations, so root
could have up to 9,999 inherited levels below its own.

    If, however, you want to restrict each level to one privilege set,
and one set only, then you can use definitions or any other method.
You'd just need more data than a single number if you later decided to
expand and use inheritance.

    In any case, the idea is a lot simpler than it probably sounds by
now, but it's a fuller explanation for those interested.

-- 
</Dan>

Daniel P. Brown
Senior Unix Geek
<? while(1) { $me = $mind--; sleep(86400); } ?>

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux