细粒度的访问控制 [英] Fine-grained access control
问题描述
我熟悉为我们正在开发的基于 Web 的管理应用程序验证用户身份的各种方法,甚至熟悉各种技术来密切关注授权...
I'm familiar with a whole bunch of ways to authenticate users for the web-based administration application we're developing, and even various techniques to keep tabs on authorisation...
但是,我要问你的问题是,你会如何建议我实现一个细粒度的访问控制机制,它提供以下内容:
However, my question to you is, how would you recommend I implement a fine-grained access control mechanism that offers the following:
- 用户属于角色"或组",例如销售员"、计划"等.
- 管理菜单系统仅显示具有与用户角色相关的功能的页面"
- 这些页面中的特定功能有限制 - 例如,在新预订"页面上,销售员"用户可以仅在未来"发出预订,而在编辑预订"页面上可以编辑预订一个"从现在开始的一周'.但是,计划"用户可能被允许追溯最多一周前"的预订并编辑自己在任何时间段"的预订,但其他人的预订只能直到明天"......
我知道我可以实现一个基本的基于角色的系统来满足第一...我有一种感觉我应该将整个应用程序分成代码块,每个代码块都有自己的 objectID-permissionID 关系,以便我可以扫描用于查看哪些对象可用的权限数据库 - 这将帮助我解决第 2 个问题.
I know I can implement a basic role-based system to satisfy no.1... I have a feeling I should split the entire application into code chunks, each with their own objectID-permissionID relationship so that I can scan the database of permissions to see which objects are available - that would help me with no.2.
任何想法我可以如何构建表单控件,例如,对于销售"用户,它只显示未来的日期(但为计划用户显示一周前"的日期),然后以某种方式将其与POST 解析器中的一行,用于检查日期是否确实在预期范围内?
Any ideas how I might build the form control for example, which for 'sales' users only displays a date in the future (but displays dates up to 'one week ago' for planning users), then somehow pairing that with a line in the POST parser that checks to see if the date is in fact within the expected range?
我想过我应该将每个代码块保存到数据库的想法,然后有一个对象表,它根据权限表动态构建代码,这样服务器上唯一的文件"就是数据库连接文件!
I've played around with the idea I should save each code chunk to the database, then have an object table which dynamically builds the code according to the permissions table, so that the only 'file' on the server is the db connection file!
欢迎提出任何想法...(即使您的背景不是 php/MySQL)
Any ideas welcome... (even if your background isn't php/MySQL)
从 Zed Shaw 的 CUSEC 演示中对该问题的更多了解,他谈到了ACL 已死"的原因 - http://vimeo.com/2723800
Some more insight into the problem from a CUSEC presentation by Zed Shaw talking about why "the ACL is dead" - http://vimeo.com/2723800
推荐答案
为了实现本地"方法,而不是捎带一个框架,我一直在尝试以下方法.有人会评价这种方法吗?你预见到任何陷阱吗?
In a bid to implememt a 'native' approach, rather than piggy-backing a framework, I've been playing around with the following. Would anyone rate this approach? Do you foresee any pitfalls?
// Check database for existence of this $user against this $object.
function get_permission($user, $object){
// Query goes here...
if( ... ){
return $permission;
} else {
return FALSE;
}
}
上面的函数将查询数据库并输出如下内容:
The above function would query the database and output something like this:
// Result of role-object query.
role_ID object_ID permission
------- --------- ----------
salesperson new_booking_date 'min' => 'now', 'max' => '+1 year'
planning new_booking_date 'min' => '-1 week', 'max' => '+1 year'
salesperson edit_booking_date 'this_user_min' => 'now', 'this_user_max' => '+1 week', 'other_user_min' => 'now', 'other_user_max' => '+1 week'
planning edit_booking_date 'this_user_min' => '-1 week', 'this_user_max' => '+1 year', 'other_user_min' => '-1 week', 'other_user_max' => '+1 week'
页面中包含表单输入的以下代码:
The following code in the page containing the form input:
// Draw form control with javascript date validation...
$this_permission = get_permission($this_user, 'new_booking_date');
if($this_permission){
$html->datepicker('min' => $this_permission['min'], 'max' => $this_permission['max']);
}
预订完成后,另一个页面允许我们编辑该字段:
After the booking has been made, another page allows us to edit that field:
// Verify POST data...
$this_permission = get_permission($this_user, 'edit_booking_date');
if($this_permission){
if($this_user == $author_user && $_POST['date'] >= strtotime($this_permission['this_user_min'], $date_ref) && $_POST['date'] <= strtotime($this_permission['this_user_max'], $date_ref)){
// Update database...
} elseif($_POST['date'] >= strtotime($this_permission['other_user_min'], $date_ref) && $_POST['date'] <= strtotime($this_permission['other_user_max'], $date_ref)){
// Update database...
}
}
我在正确的轨道上吗?
这篇关于细粒度的访问控制的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
