i'm planning to extend my already existing user management to support a more detailed concept for permissions
at the moment i have a column called user_level in my usertable and i'm planning to replace it by the following:
table permission_group
group_id
group_name
group_desc
group_active
table permission_right
right_id
group_id
right_name
right_active
right_desc
table permission_user_group
user_id
group_id
table permission_user_right
user_id
right_id
subtract_right
the 1st two tables should be quite self-explanatory, the column active exists to remove group permissions or a single permission from all users at a time by simply deactiving the group(right
the 2nd two table are needed to grant a user all rights belonging to a group (permission_user_group) or a specific right (permission_user_right)
if i grant user-id 2 the permission group-id 4 i can add new permissions to this group and user-id 2 has the new permissions as well
if i don't want to grant him all of the rights belonging to a group i can grant him rights using permission_user_right.
the field subtract_right exists to... well, difficult to explain with my poor english, i think an example can do better:
user-id: 2
group-id: 4
corresponding right-ids: 3, 4, 5, 6, 7
if i want user 2 to have the rights of group 4 except right 5 i can make 4 entries in permission_user_right (for right-ids 3, 4, 6 and 7)
if i add a new permission to group 4 i have to add this new permission to user 2 by hand as well
with the help of subtract_right i can do as follows:
- add an entry in permission_user_group for user 2 and group 4
- add an entry for user 2 and right 5 in permission_user_right and set subtract_right to 1 (0 is default)
- now if i add a new permission to group 4 even user 2 has this new permission without having to edit him in admin area
what do you think about this?
what is good, what is bad?
how would you do it?
thanks in advance
