What's a good permissions system to use?

Question

I know vBulletin uses bitperms, I was using them too but when I got to 10^63 they stopped working, it wouldn't handle any numbers greater than that (it being my PHP host).

I'm curious to know what myBB, PhpBB, IPB, Joomla and other scripts on the net use for permission systems, I really want to use a fast permission setup in my script. Right now I've implemented a sql variable on each user called permgroups and would have a value such as 1,4,5 and each of those numbers correspond to a permission group which has a similar variable called canseepages 1,2,3,4,1,4,1,54,6,4,5,22,6,2,3,4,1,2 which correspond to each page I have.

First I select permgroups in PHP

Then I use PHP's explode on permgroups

then I do a foreach on every perm group the user can see

within the foreach I run a sql query to grab the canseepages variable from the permissions group

I then append this to a variable so I end up with something MASSIVE like

$variable = '1,2,3,4,5,6,7,8,9,2,22,55,44,55,33,44,11,44,33,44,11,33,44,'.
'22,33,44,11,22,33,44,33,11,22,33,44,33,22,33,44,55,44,'.
'55,54,26,77,84,645,345,233,11,4,11,3,32';

That variable represents all the pages the user is allowed to view. I then explode that into an array of numbers and I use in_array() to check if the current page they're trying to view is within that array of pages they're allowed to view.

It's pretty fast now but I'm just thinking there must be a faster method of doing all this in general.

Answer 1

Maybe this doesn't apply for you, but typically you'd apply permissions to sections of a system, not individual pages. So, for example, you might have an 'admin' permission, that unlocks all the big adminy sections.

You could have a manager perm that unlocks the ability to add, edit, and delete users from the system. Since it is ultra rare to have a need for someone that can do one of, but not all of, those things.

An alternative is a task-specific permissions system. This site uses one, you've been around long enough to gain some of them.

Answer 2

I figured out a long time back that Bit masks was the best possible solution for User Permissions:

Short Example:

class UserPermissions()
{
    private $Mask = 0;

    //Levels
    const PUBLIC_READ = 1;
    const PUBLIC_WRITE = 2;
    const PUBLIC_EDIT = 4
    const PUBLIC_DELETE = 8;
    //ETC

    public function __construct($Mask)
    {
        $this->Mask = $Mask;
    }

    public function InvokePermission($Bit)
    {
        return ($Mask & $Bit); //True / False
    }

    public function AddPermission($Bit)
    {
        $this->Mask |= $Bit; //Add the bit to the mask
    }

    public function RevokePermission()
    {
        $this->Mask &= ~ $Bit;
    }

    public GetMask()
    {
         return $this->Mask;
    }
}

Simple use like so:

$Permissions = new UserPermissions($User->PermissionsData);

if($Permissions->InvokePermission( Permissions:: PUBLIC_EDIT ))
{
    //Use can edit
}

Some links:

• Why should I use bitwise/bitmask in PHP?
• Duplicate (From Myself)

Answer 3

Why not use arrays of integers as bitmasks? Then you just do something like

$ndx = $pageNo / PHP_INT_SIZE;
$bit = $pageNo % PHP_INT_SIZE;
$canAccess = $permArray[$ndx] & (1<<$bit);

$pageNo is the number of the page the user is trying to access, $permArray is the array of integers representing the permitted pages for the group. If the bit corresponding to the page is set, the user can access the page.

(Sorry if the syntax is wrong, I haven't used PHP for a long time.)