细粒度访问控制 [英] Fine-grained access control
问题描述
我熟悉一大堆的方式进行身份验证的基于Web的管理应用程序的用户,我们正在开发,甚至是各种技术来保持对授权的标签...
I'm familiar with a whole bunch of ways to authenticate users for the web-based administration application we're developing, and even various techniques to keep tabs on authorisation...
不过,我对你的问题是,你会如何建议我实现了提供以下细粒度的访问控制机制:
However, my question to you is, how would you recommend I implement a fine-grained access control mechanism that offers the following:
- 用户属于角色或集团,如营业员,规划等。
- 管理菜单系统只显示页具有相关的用户角色(S) 功能
- 这些页面内Specfic功能都有限制 - 例如,新预约页面上,销售人员用户只能在未来发出预订,和编辑预约页面上可以编辑预订一从现在开始每周。然而,规划的用户可能会被允许追溯书长达一个星期前和编辑自己的'任何时间段的预订,但预订其他人只取得了直到明天......
我知道我可以实现基本的基于角色的系统,以满足第一...我有一种感觉,我应该拆分整个应用程序到code块,每一个都有自己的ObjectId-permissionID关系,使我可以扫描权限的数据库,看看哪些对象可用 - 这将帮助我的2号
I know I can implement a basic role-based system to satisfy no.1... I have a feeling I should split the entire application into code chunks, each with their own objectID-permissionID relationship so that I can scan the database of permissions to see which objects are available - that would help me with no.2.
任何想法我怎么可能建立例如表单控件,这为销售用户只显示在未来的某个日期(但显示日期到一周前规划用户),然后以某种方式配对,与一在POST解析器行检查,看看是否日期实际上是在预期的范围内?
Any ideas how I might build the form control for example, which for 'sales' users only displays a date in the future (but displays dates up to 'one week ago' for planning users), then somehow pairing that with a line in the POST parser that checks to see if the date is in fact within the expected range?
我的想法,我应该每code块保存到数据库中起到左右,然后有它根据权限表动态地构建了code对象表,所以,唯一的'文件'在服务器上的数据库连接文件!
I've played around with the idea I should save each code chunk to the database, then have an object table which dynamically builds the code according to the permissions table, so that the only 'file' on the server is the db connection file!
任何想法欢迎...(即使你的背景是不是PHP / MySQL的)
Any ideas welcome... (even if your background isn't php/MySQL)
一些更深入地了解由捷思锐肖一CUSEC presentation问题谈到为什么的ACL死了 - http://vimeo.com/2723800
Some more insight into the problem from a CUSEC presentation by Zed Shaw talking about why "the ACL is dead" - http://vimeo.com/2723800
推荐答案
在力图implememt一个'本土'的做法,而不是背负了一个框架,我一直在用下面玩耍。会有人评价这种做法?你预见到任何陷阱?
In a bid to implememt a 'native' approach, rather than piggy-backing a framework, I've been playing around with the following. Would anyone rate this approach? Do you foresee any pitfalls?
// Check database for existence of this $user against this $object.
function get_permission($user, $object){
// Query goes here...
if( ... ){
return $permission;
} else {
return FALSE;
}
}
上述功能将查询数据库和输出是这样的:
The above function would query the database and output something like this:
// Result of role-object query.
role_ID object_ID permission
------- --------- ----------
salesperson new_booking_date 'min' => 'now', 'max' => '+1 year'
planning new_booking_date 'min' => '-1 week', 'max' => '+1 year'
salesperson edit_booking_date 'this_user_min' => 'now', 'this_user_max' => '+1 week', 'other_user_min' => 'now', 'other_user_max' => '+1 week'
planning edit_booking_date 'this_user_min' => '-1 week', 'this_user_max' => '+1 year', 'other_user_min' => '-1 week', 'other_user_max' => '+1 week'
以下code在包含表单输入页面:
The following code in the page containing the form input:
// Draw form control with javascript date validation...
$this_permission = get_permission($this_user, 'new_booking_date');
if($this_permission){
$html->datepicker('min' => $this_permission['min'], 'max' => $this_permission['max']);
}
预订已取得
后,另一页允许我们编辑领域:
After the booking has been made, another page allows us to edit that field:
// Verify POST data...
$this_permission = get_permission($this_user, 'edit_booking_date');
if($this_permission){
if($this_user == $author_user && $_POST['date'] >= strtotime($this_permission['this_user_min'], $date_ref) && $_POST['date'] <= strtotime($this_permission['this_user_max'], $date_ref)){
// Update database...
} elseif($_POST['date'] >= strtotime($this_permission['other_user_min'], $date_ref) && $_POST['date'] <= strtotime($this_permission['other_user_max'], $date_ref)){
// Update database...
}
}
我是在rigt轨道上吗?
Am I on the rigt track?
这篇关于细粒度访问控制的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
