实现用户授权在PHP和JavaScript [英] Implementing User Authorization in PHP and Javascript

问题描述

假设我有一个有效的会话，并经过认证的用户，有一些什么方式去在应用程序中使用PHP / MySQL的后端，和一个沉重的JavaScript前端实现用户授权？

Assuming I have a valid session and an authenticated user, what are some ways to go about implementing user authorization in an application with a PHP/MySQL backend, and a heavy JavaScript front-end?

在大多数情况下实施的例子我能找到似乎过于专注于用户认证和只是有点碰巧的授权。例如，一个if语句检查，如果该类型用户的管理员。这似乎太实现了我。

Most of the implementation examples I can find seem too focused on user authentication and the authorization just sort of happens. For instance, an if statement checking if the type of user an admin. This seems way too implemented to me.

在像我这样的一个实现，有没有知道什么页面用户是当他们发起请求的方式。因此，只提供某些用户，通过PHP确定的某些内容的方法，又是为了什么，我需要做的太宽。

In an implementation like mine, there is no way of knowing what "page" the user was on when they initiated the request. So, a method of only serving certain content for certain users, determined by PHP, is too broad for what I need to do.

在理想情况下每个实体都有或者基于明确的用户或组什么或键入用户/英寸

Ideally each entity has a sort of access control list based either on the user explicitly or what group or type the user is/in.

我去了一家当地的书店，花了一个下午的翻翻他们都对PHP，MySQL和JavaScript的。出人意料的是，大部分的书籍对用户授权的几乎没有。这吓跑了地狱了我！这必须由人构建使用AJAX的大型Web应用程序来解决，我似乎无法找到让我开始的东西。

I went to a local bookstore and spent an afternoon looking through all they had on PHP, MySQL and JavaScript. Surprisingly, most of the books had virtually nothing on user authorization. That scares the hell out of me! This has to be solved by anyone building a large web application that uses AJAX, I just can't seem to find something to get me started.

我想AP preciate任何和所有的反馈意见，经验，技巧等（关于这个问题的书吗？）

I would appreciate any and all feedback, experiences, tips, etc. (Any books on this subject?)

推荐答案

PHP的安全性似乎停留在单一密码的黑暗时代给出了一类特定网页的单用户的令牌。你似乎想要得到更多的细粒度在您的应用程序，甚至允许访问取决于登录令牌资源的特定部分。您的访问控制列表的思想是完全正确的，是的，你已经发现了不为人知的秘密：没有人真正公布如何设计或写一个ACL机制。这就是说，它已经完成。

PHP security seems stuck in the dark ages of single password gives a token for a single user for a class of particular pages. You seem to be wanting to get a lot more fine-grained in your app, maybe even allowing access to specific pieces of resources depending on that login token. Your thought of access control lists is absolutely correct, and yes, you've discovered the dark secret: no one really published how to design or write an ACL mechanism. That said, it has been done.

首先，你熟悉的<一个href=\"http://en.wikipedia.org/wiki/Filesystem_permissions#Notation_of_traditional_Unix_permissions\">unix文件权限的？ The're您在的ls -l <​​/ code>看到命令行上的 -rwxr-XR-X 的东西。 Unix的选择了一个非常简单的方法来访问控制列表。记录中的每个人都有一个用户ID（UID）和一个或多个组ID（GID）（ WHOAMI ，组 ）。 UNIX文件权​​限允许三种操作，读，写和执行其可以是打开或关闭。随着2 ^^ 9个州，这些权限轻松地安装在一个整数，然后Unix的可以附加
整数直接在文件系统中的文件。当用户试图访问一个文件，权限与从严格到宽松，允许配套最宽松的权限。所以，得到用户的第一组权限，组获得第二，任何人都得到第三。因此，可执行一般是755：只有所有者才能改变它，但任何人都可以读取和使用它

First, are you familiar with unix file permissions? The're the -rwxr-xr-x things you see in an ls -l on the command line. Unix has chosen a very simplified approach to ACLs. Each person logged in has a User ID (UID) and one or more Group IDs (GID) (whoami, groups). The Unix file permissions allow three operations, Read, Write, and Execute which can be on or off. With 2^^9 states, these permissions easily fit in an integer, and Unix can then attach that integer to the file directly in the file system. When a user attempts to access a file, permissions are compared from strict to permissive, matching the most permissive privileges allowed. So, users get the first set of permissions, groups get the second, and anyone gets the third. Thus, an executable is usually 755: only the owner can change it, but anyone can read and use it.

二，LDAP是轻量级目录访问协议，旨在让多个网络用户访问资源的系统。 OpenLDAP是一种常见的Linux实现，和微软的Windows服务器上的Active Directory讲LDAP（有很多扩展）。 LDAP的ACL有一个更强大的系统。一般的配置是进入[资源]通过[谁] [访问类型授予] [控制] 或获取DN =UID =亚光，OU =用户，DC =例如，DC = COM由*无来限制所有访问到马特的用户信息。对于一个更加完整的讨论，我会强烈建议<一href=\"http://my.safaribooksonline.com/book/operating-systems-and-server-administration/ldap/9781847191021\">Mastering LDAP ，安全特别是第4章。 （这是我有点超出我的直接了解。）我是IM pression根据该LDAP将此信息存储在一个单独的数据库表，但我不知道，并不能找到文档的一种方式或其他。我留意了一个可能的模式为。

Second, LDAP is the Lightweight Directory Access Protocol, a system designed to give multiple network users access to resources. OpenLDAP is a common Linux implementation, and Microsoft's Active Directory on Windows Server speaks LDAP (with a lot of extensions). LDAP has a much more robust system of ACLs. A general configuration is access to [resources] by [who] [type of access granted] [control] or access to dn="uid=matt,ou=Users,dc=example,dc=com" by * none to limit all access to to Matt's user information. For a much more complete discussion, I would highly recommend Mastering LDAP, specifically chapter 4 on security. (This is where I get a bit out of my direct knowledge.) I am under the impression that LDAP stores this information in a separate database table, but I don't know that and can't find documentation one way or another. I am keeping an eye out for a possible schema for that.

短停止来概括：ACL的取与用户级以上可能的组用户令牌的概念，对象的集合以某种方式固定，和对信息的那些件 - 3维数一致可能的操作。 Unix的存储两个用的东西这些方面的直接保护。 OpenLDAP的分开存储的三个维度，在某些方面，我们不太知道，但我怀疑是一个链接的树形结构。

Short stop to summarize: ACLs take a concept of a user token with possible groups above the user level, a collection of objects to secure in some way, and several consistent possible operations on those pieces- 3 dimensions of information. Unix stores two of those dimensions with the thing to be secured directly. OpenLDAP stores those three dimensions separately, in some way we don't quite know, but that I suspect is a linked tree structure.

鉴于此，让我们来看看我们如何能够设计一个ACL系统一个RESTful Web应用程序。对于假设，我们将打破你的应用程序分为离散可寻址单元 - 需要固定将通过URI（ http://example.com/users 访问的每一件事情， http://example.com/page_pieces/ticker ）。我们的用户将是一个简单的UID / GID的token-一个用户可以是几个组的一部分。最后，我们提供的业务将基于HTTP GET requests-，POST，PUT，DELETE，等等。我们现在需要的高效处理数据的三维阵列的系统。我们的模式应该是pretty显而易见的：（URI，用户ID，组ID，操作）。我们特意非规范化的操作列到的字符串列表 GET，POST，... 所以我们只需要一个表。没有主键，因为我们将永远不会真正ID来查找。

Given that, let's take a look at how we could design an ACL system for a RESTful web application. For assumptions, we will break your application into discrete addressable units- each thing that needs to be secured will be accessible via a URI (http://example.com/users, http://example.com/page_pieces/ticker). Our users will be a simple UID/GIDs token- a user can be part of a several groups. Finally, our available operations will be based on the HTTP requests- GET, POST, PUT, DELETE, etc. We now need a system that efficiently handles a 3-dimensional array of data. Our schema should be pretty obvious: (uri, userid, groupid, operations). We deliberately denormalize the operations column into a string list of GET,POST,... so we only need one table. There is no primary key, since we will never really be looking up by ID.

查询将分两步完成： SELECT * FROM WHERE ACL URI = @ URI，用户ID = @用户ID 将返回0或1行。如果返回1行，我们就大功告成了，并可以grep permisssion 来操作是否是列表中（使用*表示所有烫发）。如果我们得到0行，运行第二个查询 SELECT * FROM WHERE ACL URI = @ URI，用户ID ='*'，组ID在（@groupid）这将再次返回0或某些行。如果返回了一些，遍历并期待在烫发。如果返回0，做最后一查询 SELECT * FROM ACL WHERE URI = @ URI，用户ID ='*'，组ID ='*'这将最终返回0或1行。如果返回1，看烫发。如果返回0，采取默认的动作。

Queries will be done in two steps: SELECT * FROM acl WHERE uri=@uri, userid=@userid which will return 0 or 1 rows. If it returns 1 row, we're done and can grep permisssion to see if the operation is in the list (use * to indicate all perms). If we got 0 rows, run a second query SELECT * FROM acl WHERE uri=@uri, userid='*', groupid in (@groupid) which will again return 0 or some rows. If it returns some, loop through and look at perms. If it returns 0, do one last query SELECT * FROM acl WHERE uri=@uri, userid='*', groupid='*' which will finally return 0 or 1 row. If it returns 1, look at perms. If it returns 0, take the default action.

我们可以通过多种方式设置权限：

We can set permissions in several ways:

• INSERT INTO ACL值（@uri，@userid，''，'GET，POST'）允许单个用户GET或POST访问


• INSERT INTO ACL值（@uri，'*'，'管理，贡献者，GET，PUT，POST，DELETE'）


• INSERT INTO ACL值（@uri，'*'，'*'，''）拒绝所有访问。

• INSERT INTO acl VALUES (@uri, @userid, '', 'GET,POST') allows a single user GET or POST access
• INSERT INTO acl VALUES (@uri, '*', 'admin,contributors', 'GET,PUT,POST,DELETE')
• INSERT INTO acl VALUES (@uri, '*', '*', '') denies all access.

一对夫妇的注意事项：

1. 所有的URI必须是前pressed准确;这个解决方案没有办法设置
   在更高层次上的默认权限，并让他们涓滴
   （左锻炼给提问者）。

1. All URIs must be expressed exactly; this solution has no way to set default permissions at a higher level and have them trickle down (left as exercise to the Questioner).

URI的唯一性/ UID / GID对应该在某个时候发生。应用程序可以处理它，或在MySQL中，你可以做 ALTER TABLE ACL ADD UNIQUE INDEX（URI，用户ID，组ID）（查找文档在其他的DBMS类似的限制）。

Uniqueness of uri/uid/gid pairs should happen at some point. The app can handle it, or in MySQL you can do ALTER TABLE acl ADD UNIQUE INDEX (uri, userid, groupid) (look up documentation for similar constraints in other DBMSes).

这篇关于实现用户授权在PHP和JavaScript的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！