PHP访问控制系统 [英] PHP Access Control System

问题描述

我是使用 PHP 和 MySQL 创建 Web 应用程序的团队的一员.该应用程序将有多个具有不同角色的用户.该应用程序还将以地理分布的方式使用.因此，我们需要创建一个在以下两个级别运行的访问控制系统:

1. 控制特定 php 页面的用户权限，即根据用户的角色提供或拒绝对特定页面(或用户界面元素)的访问.例如:可能允许用户访问学生"页面，但不能访问教师"页面.
2. 控制特定数据库记录的用户权限，即修改数据库查询以便只显示特定记录.例如，对于城市级别的用户，应仅显示与用户特定城市相关的记录，而对于国家级别的用户，应显示该国家/地区所有城市的记录.

我需要帮助设计一个可以处理这两种类型的访问控制的系统.点号1 似乎很简单.但是，我完全不知道如何在不硬编码 SQL 查询中的信息的情况下执行第 2 点.

任何帮助将不胜感激.

提前致谢

维纳亚克

解决方案

几个月前我也遇到过类似的情况.我发现如果你只检查单个项目的访问级别(或相当少的数量)，像 Zend_ACL 这样的工具会很好用.当您需要获取允许用户访问的大量项目列表时，它会失败.我使用
_{(来源:
(来源:epsi.pl)}

我在博客中介绍了这个解决方案，不幸的是，这一切都是波兰语，但您可能会发现一些代码和图表很方便.我可以说，实现不是小菜一碟，但与列表中每个元素的迭代访问检查相比，它在性能方面是一个冠军.此外，上述基础设施不仅处理列表中的一种类型的项目.它可以在访问不同的列表时提供服务，无论是城市列表、国家列表、产品列表还是文档列表，只要列表中的项目实现 IAuthorizable 接口即可.

I am part of a team creating a web application using PHP and MySQL. The application will have multiple users with different roles. The application will also be used in a geographically distributed manner. Accordingly we need to create an access control system that operates at the following two levels:

1. Controls user permissions for specific php pages i.e. provides or denies access to specific pages (or user interface elements) based on the user's role. For example: a user may be allowed access to the "Students" page but not to the "Teachers" page.
2. Controls user permissions for specific database records i.e. modifies database queries so that only specific records are displayed. For example, for a user at the city level, only those records should be displayed that relate to the user's particular city, while for a user at the national level, records for ALL CITIES in the country should be displayed.

I need help on designing a system that can handle both these types of access control. Point no. 1 seems to be simple enough. However, I am completely at a loss on how to do point number 2 without hardcoding the information in the SQL queries.

Any help would be appreciated.

Thanks in advance

Vinayak

解决方案

I was in similar situation few months ago. I found that tools like Zend_ACL work great if you just check access level to single item (or reasonably low number of them). It fails when you need to get a huge list of items the user is allowed to access. I crafted custom solution to this problem using Business Delegate pattern. BD provides business logic that can be applied in specific context. In this scenario a SQL logic was delivered and used as filtering condition in subselect. See the following diagrams:

_{(source: epsi.pl)}

And sequence diagram that illustrates calls order:

_{(source: epsi.pl)}

I blogged about this solution, unfortunately it's all in Polish, but you may find pieces of code and diagrams handy. What I can say, the implementation is not a piece of cake, but performance-wise it's a champion when compared to iterative access checking for each element on the list. Moreover, the infrastructure above handles not only one type of items on the list. It can serve when accessing different lists, be it list of cities, countries, products, or documents as long as items on the list implement IAuthorizable interface.

这篇关于PHP访问控制系统的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！