All geek questions in one place

Designing a User Access Class / Permissions

I am working on a site that will have several modules that are fully accessible to certain users, semi-accessible to other users and inaccessible to others.

For instance:

  • The “employee” may respond to customer support tickets assigned to him.

  • A “manager” can manage all employees and support tickets in his team, including viewing tickets for a specific employee.

  • The “administrator” can manage all managers, employees and tickets in all teams, as well as some other basic functionalities.

In addition, additional pages will be displayed on some pages if the current user is an administrator or manager. (For example, links to delete / flag). They will not be shown to employees.

I want to create one “Permissions” model that will handle the logic for:

  • Determining whether the user can access the current page or not.

  • Determines whether a particular part of a page should be displayed or not. (For example, special links for editing / deleting, which will be shown only to administrators and managers).

I need recommendations / recommendations for developing this class, in particular, what methods it should have to fulfill the second requirement.

+6
source share
3 answers

As I approached this problem when it came, it was to give each action that could be taken, or a piece of information that could be shown to it by Permission . Each User has a set of Permissions . From this, you can add other levels of structure to help manage the huge number of permissions that will exist, such as hierarchies or permission categories.

Once this is in place, you can either ask the various parts of User if they have the necessary permissions (s), or you can use the PermissionManager to take the User and the Permissions set and determine if the given user has the necessary Permissions . In any case, this will work fine, but the one you choose affects the dependencies and architecture of your system.

The PermissionManager approach has the advantage that your parts of the application should not depend on User , so you can use another PermissionManager , which always returns False if permissions do not fit, or True if all permissions fit.

For simple situations, this approach may be excessive, and it often seems to be the first, but I went the way of using basic hierarchical or coarse-grained Roles and was fond of the fact that almost every system I worked on quickly became too complicated for most vanilla, pre-built systems role-based permissions.

+3
source

My approach to this problem from the database point of view will be to have a user table containing a list of users, a role table for the list of roles, for example: employee, manager, admin; and a permissions table that stores all the values ​​of each action / function available in the system and their permissions for a specific role, for example: say for admin, values ​​for actions / functions, such as creating, editing, deleting, viewing, are true. Relations can be seen below, while (N) ---- (N) is a many-to-many relationship.

Users (N) ------- (N) Roles (N) -------- (N) Resolution

+3
source

My impression is that you will need to use roles, for example. employee, manager and administrator. Thus, the table of roles with them will be executed. Then, for specific actions / permissions, you will need to use the branching logic, that is, for example, for the employee that you will have if User.IsInRole ("employee") // insert the logic for processing customer support tickets otherwise, if User.IsInRole ("manager") // insert the logic to perform the duties of the manager.

and finally, the logic for addressing administrator responsibilities

To do this, you need a user table and a role table. Hope this helps.

0
source

Source: https://habr.com/ru/post/886145/

More articles:


All Articles