programming: May 2007 Archives
Many times, as you work through the architecture of your site, you wonder how to control access to certain functions or abilities. If your site has basic articles of text for example, you might think of the following:
The problem is that, even though this is what comes to mind the most, this is often the least ideal way to do it.
Recently, I've been building projects using a different scheme that I'd like to share. This isn't something I came up with but maybe it'll save you some time and headaches and will allow you to break free of the traditional way of doing things.
First, you define all of the available functions you'd like to control. Going along with the example above, we want to control:
The really cool part about this method is that you can extend it as much as you want. You'll see.
Ok, going through the list again. Starting at 1, double the number each time and give that number to each item. So we end up with:
Now, for each user, you give them an "access level". If you want someone to only be able to edit articles, their access level is 2. If you want someone to just have admin rights, their access level is 8. If you want someone to have access to create and delete (but not edit) articles, their access level is 5 (1+4). If you want someone with all access, their access level is 15 (1+2+4+8). To make it easier on yourself, you could make a program that automatically does the math here based on what boxes you have checked. Figuring out someone's access level at first isn't too bad but when you go back later to modify the level, it gets a little frustrating without code to help. Just a suggestion.
Now, in your code, the easiest thing to do is create a small function that breaks it down. For example (in PHP):
----------------------------------------------------------------------------
----------------------------------------------------------------------------
In the above code, I used 16384 as the highest level control (this would be the value of the 15th control in your list if you had that many). If you really only plan on using the 4 mentioned in the example, you could change 16384 to 8.
Now, in the section of your code used to delete articles (remember, access control value "4"), you'd do something like:
----------------------------------------------------------------------------
----------------------------------------------------------------------------
Pretty cool, huh?
This lets you break free of the hierarchy that you're used to. You can give certain people very specific control over something. You could even go as far as giving certain people certain access to specific fields within a form. Obviously, your access control numbers get a little large because of the number of controls you have but it doesn't matter. The number shouldn't ever be seen if you have code put together to help you add and edit those.
Also, something to keep in mind is that the number assigned to your control has no meaning at all except that it has to be unique and is hard to change once you get started. "admin rights" could just as easily be a value of 1 and "create articles" could be 8. You totally break free from the hierarchy thinking you're used to because everyone's access can be unique and very specific. Very cool.
- Users: basic read privileges with no admin rights
- Editors: read, write and edit privileges with limited admin rights
- Admins: all rights, including read/write/edit, add/edit/delete editors, etc.
The problem is that, even though this is what comes to mind the most, this is often the least ideal way to do it.
Recently, I've been building projects using a different scheme that I'd like to share. This isn't something I came up with but maybe it'll save you some time and headaches and will allow you to break free of the traditional way of doing things.
First, you define all of the available functions you'd like to control. Going along with the example above, we want to control:
- who can create articles
- who can modify existing articles
- who can delete articles
- who can add/edit/delete people with privileged access to do #1 - #3
The really cool part about this method is that you can extend it as much as you want. You'll see.
Ok, going through the list again. Starting at 1, double the number each time and give that number to each item. So we end up with:
1 - create articles
2 - edit articles
4 - delete articles
8 - admin rights
(next would be 16 if we had one, etc.)
Now, for each user, you give them an "access level". If you want someone to only be able to edit articles, their access level is 2. If you want someone to just have admin rights, their access level is 8. If you want someone to have access to create and delete (but not edit) articles, their access level is 5 (1+4). If you want someone with all access, their access level is 15 (1+2+4+8). To make it easier on yourself, you could make a program that automatically does the math here based on what boxes you have checked. Figuring out someone's access level at first isn't too bad but when you go back later to modify the level, it gets a little frustrating without code to help. Just a suggestion.
Now, in your code, the easiest thing to do is create a small function that breaks it down. For example (in PHP):
----------------------------------------------------------------------------
function check_access($check_level) {
$highest_level_control = 16384; // why not?
$users_level = $users_access_level_pulled_from_somewhere;
for ($i = $highest_level_control; $i >= 1; $i = $i / 2) {
if ($i <= $users_level) {
$level_track{$i} = 1;
$users_level = ($users_level - $i);
}
}
if ($level_track{$check_level} == 1) {
return 1;
}
else {
return 0;
}
}----------------------------------------------------------------------------
In the above code, I used 16384 as the highest level control (this would be the value of the 15th control in your list if you had that many). If you really only plan on using the 4 mentioned in the example, you could change 16384 to 8.
Now, in the section of your code used to delete articles (remember, access control value "4"), you'd do something like:
----------------------------------------------------------------------------
if (check_access(4) == 0) {
print "Go away";
exit;
}----------------------------------------------------------------------------
Pretty cool, huh?
This lets you break free of the hierarchy that you're used to. You can give certain people very specific control over something. You could even go as far as giving certain people certain access to specific fields within a form. Obviously, your access control numbers get a little large because of the number of controls you have but it doesn't matter. The number shouldn't ever be seen if you have code put together to help you add and edit those.
Also, something to keep in mind is that the number assigned to your control has no meaning at all except that it has to be unique and is hard to change once you get started. "admin rights" could just as easily be a value of 1 and "create articles" could be 8. You totally break free from the hierarchy thinking you're used to because everyone's access can be unique and very specific. Very cool.
