如何编纂和存储动态权限的限制? [英] How to codify and store dynamic permission constraints?
问题描述
我经历过这个问题之前,但还没有找到一个巧妙的解决办法呢。
I have been through this subject before, but haven't found a neat solution yet.
假设我们有一个应用程序,客户可以通过该网站预订的课程,和管理人员也可以预订使用后端系统代表客户的课程。我试图建立一种让HR管理者编纂适用于像权限 can_make_booking 的制约,权限不只是一个布尔值,不应该硬coded进入应用程序。
Say we have an application where customers can book a course using the website, and admin staff can also book courses on customers' behalf using a backend system. I'm trying to establish a way to let HR administrators codify constraints applied to permissions like can_make_booking, as the permission isn't just a boolean and shouldn't be hard-coded into the application.
目前,客户可以进行预订,只要课程日期是日期至少是'N'天标准的通知,今后,他们预订不超过可用的名额较多,它们至少支付应付金额(或零,如果他们的帐户设置为发票)。管理者可以现在预订后使用后端应用程序,只要在预约日期的任意时间。
At the moment, customers can make a booking as long as the course date is a date at least 'n' days standard notice in the future, they are booking no more than the number of places available and they are paying at least the amount due (or nil if their account is set to invoice). Managers can book using the backend application, as long as the appointment date is any time after now.
我想象这样的事情。让HR管理员添加权限的限制如下所示:
I envision something like this. Let HR administrators add permission constraints like the following:
role permission constraint
-------- ------------ ----------
customer make_booking 1
customer make_booking 2
customer make_booking 3
manager make_booking 5
然后约束的表,
constraint property operator value OR_parent
---------- ------------ -------- -------------------------- ---------
1 $course_date >= strtotime("+$notice days") NULL
2 $places_booked <= $places_available NULL
3 $paid >= $total NULL
4 $send_invoice == TRUE 3
5 $course_date >= strtotime("now") NULL
链接这些限制,为客户的角色将建立类似下面的评估 ED code(约束#4与#3配对作为或序列的一部分):
Chaining these constraints for the customer role would build something like the following evaled code (constraint #4 is paired with #3 as part of an OR sequence):
if($course_date >= strtotime("+$notice days") && $places_booked <= $places_available && ($paid >= $total || $send_invoice == TRUE)){
// make the booking
}
每个规则可以在每个阶段独立使用,如JavaScript和表单验证等,给予反馈,如果预订不能因为某些原因提出。
Each rule could be used independently at each stage, such as JavaScript and form validation, to give feedback if the booking can't be made for some reason.
不过,说HR要改变客户的规则,使他们只能在一个时间预定3位,而 $支付量必须至少在 $存款金额是多少?理想情况下,我想,让他们动态地建立这些规则的PHP,没有让他们接触到硬盘写入code。属性和值可以消毒,使评估 ING code是没有问题的。我不想硬code每条规则作为某些情况下的每个组合,会有预先猜测人力资源管理的逻辑没有明确的办法。
However, say HR want to change the rule for customers so that they are only allowed to book 3 places at a time, and the $paid amount must be at least the $deposit amount? Ideally, I'd like to allow them to build these php rules dynamically, without giving them access to the hard-written code. The properties and values could be sanitized so that evaling code isn't a problem. I don't want to hard-code every combination of each rule as for some cases, there would be no clear way to guess an HR admin's logic in advance.
我看的断言中的Zend_Acl里版本,但他们似乎并没有提供我正在寻找的活力。什么是实现这些动态约束的好方法?从其他环境有什么想法?谢谢!
I've looked at the Zend_ACL version of assertions, but they don't seem to offer the dynamism I'm looking for. What would be a good way to implement these dynamic constraints? Any thoughts from other environments? Thanks!
一些更深入地了解由捷思锐肖一CUSEC presentation问题谈到为什么的ACL死了 - http://vimeo.com/2723800
Some more insight into the problem from a CUSEC presentation by Zed Shaw talking about why "the ACL is dead" - http://vimeo.com/2723800
推荐答案
那么,这是仍然引起讨论的一个相当大的交易的地区之一。正如有人说[谁? - 认为这是阿特伍德其他人之间的,但链接逃脱我],一个应用程序,可以做的一切已是制作;这就是所谓的C.你想要做的边界相当近了过于笼统区域是什么,但我可以在每次不需要程序员业务规则的变化看的价值。
Well, this is one of the areas that still elicit a rather big deal of discussion. As some say[who? - think it was Atwood among other people, but a link escapes me], an application that can do everything has already been made; it's called C. What you want to do borders quite nearly the 'too generalized' area, although I can see the value in not needing a programmer every time a business rule changes.
如果我不得不实行这样的制度,我想我会尝试,并把它分解成域。你已经做了它的一个比较好的工作与第二个表。只是这正常化将被用于配制业务规则不同的域。您创建一个包含1个或多个约束或-ED一起业务规则。每个约束需要是与对一个术语的操作受到限制的属性。术语可以是棘手的,因为它们可以是从一个属性的任何一个功能,一个复合函数。这可能比较容易检查你的业务规则,看看你需要什么。首先,说,性质,布尔和平常之类的东西'现在'。
If I'd have to implement such a system, I guess I'd try and break it down into domains. You've done a relatively good job of it already with the second table. Just normalise that into separate domains that are used to compound business rules. You create a business rule which is comprised of 1 or many constraints OR-ed together. Each constraint needs a property that is restricted with an operator against a term. Terms can be tricky, since they can be anything from a property to a function, to a compound function. It's probably easiest to check your business rules to see what you need. Start with, say, properties, booleans and commonplace things like 'NOW'.
所以架构本身将,例如,可以由该规则,其中包含多个限制(明显受益是,你可以配合这些对任何[用户组/报价/时间跨度/其他域]你想要的)。这些,反过来,由属性,这将与运营商之一,比较(参考表主要是让你可用于非程序员输入自定义描述性的名称,但您可以选择在某个时候在里面输入一个自定义函数),当然的条款之一。最后一部分是最复杂的之一,所以你可能有在 term_types 的ID来限定它,所以你会知道你比较其他财产或的功能。你也可以 VARCHAR ,并用PHP创建,给了你怎样在属性的所有选项领域,这应该不是太困难和/或功能。
So the schema itself would, for example, be comprised of the rules, which contain multiple constraints (obvious benefit being that you could tie these to any [user group/offer/timespan/other domain] you want). These are, in turn, comprised of properties, which would compare with one of the operators (reference table mostly so you can enter custom descriptive names for non-programmers, but you may choose to enter a custom functions in it at some point) and, of course one of the terms. The last part being the most complex one, so you'd probably have to qualify it with an ID in term_types so you'd know whether you're comparing to another property or a function. You can also just VARCHAR it and create the field with PHP, which shouldn't be too difficult, given how you have all the options in properties and/or functions.
这是一个非常开放的系统(也有可能是它去更好的方法),所以它可能不值得做,除非你知道你需要在业务规则具有高度活力。
It's a very open-ended system (and there are probably better ways of going at it), so it's probably not worth doing unless you know that you'll need a high degree of dynamism in business rules.
这篇关于如何编纂和存储动态权限的限制?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
