- id
- slug
- collection
- name
- description
- id
- name
- description
- collection
- id
- role_id
- option_id
- option_setting (bool)
- user_id
- collection
- collection_id
- role_id
So let's implement basic can_smell
and can_eat
permission to the Pizza
Collection.
- Add permission to
auth_options
:
id, slug, collection, name, description
...
1, can_smell, Pizza, 'CAN_SMELL_PIZZA, 'CAN_SMELL_PIZZA _DESC'
2, can_eat, Pizza, 'CAN_EAT_PIZZA', 'CAN_EAT_PIZZA_DESC'
- Create role in
auth_roles
id, name, description, collection
...
1, "Can't eat", "…", Pizza
2, "Can eat", "…", Pizza
- Define the roles data in
auth_roles_data
id, role_id, option_id, option_setting
...
1, 1, 1, 1 //(Role 1 (Can't eat), can_smell, true)
2, 2, 1, 1 //(Role 2 (Can eat), can_ smell, true)
3, 2, 2, 1 //(Role 2 (Can eat), can_eat, true)
N.B: Since can_eat
is not defined for Can't eat
role, he can't eat it by default
- Assign role to user in
auth_users
.
user_id, collection, collection_id, role_id
...
2419, Pizza, 1, 1 //(User #2419 Can't eat pizza #1…)
2419, Pizza, 2, 2 //(…but he can eat pizza #2)
...
4321, Pizza, 1, 2 //(User #4321 Can eat pizza #1…)
4321, Pizza, 2, 2 //(… & #2)
And since none of them have a role defined for pizza #3, nobody can smell or eat pizza #3. We could also define a "default" role by adding a default
column in the role table.
I'm still not sure how to handle the collection ( Pizza
). I guess it should be linked to something in the php code (like the conditions) and not a db model… (or it would require to specify the whole namespace of the model).
Then, in PHP, where $user
is a user object :
$user->auth('can_eat', 2) //return true if the user can eat pizza #2
$user->auth('can_eat') //return true if the user can eat at least one pizza
Or even:
//$auth->(user_id, slug, collection_id)
$auth->get(2419, 'can_eat', 1) //(Return false)
$auth->get(4321, 'can_eat', 1) //(Return true)
$auth->get(4321, 'can_eat') //(Return true, he can eat at least one pizza)
A null
collection (and collection_id) would mean this auth_option is global :
Assign role to user in auth_users
2419, null, null, 1 //(User #2419 has role admin for example…)
...
$user->auth('adminonly_action_slug') //(Return true since user has role `admin` that allows this permission otpion)
For the UI it's easy to query roles and option per Collection:
Display all the auth_options
for the Pizza
collection
Auth_option | Setting (True / False button) |
---|---|
Can_smell | True |
Can_eat | False |
Display the role for each element in the Pizza
collection. (based on the auth_users
table where user_id = 2419
and collection = Pizza
)
Pizzas | Role (Select/dropdown) |
---|---|
Pizza #1 | Can't eat |
Pizza #2 | Can eat |
Pizza #3 | null (default to can't eat & smell) |
Display all users role for the Pizza
collection with id of 1
Users | Role (Select/dropdown) |
---|---|
2419 | Can't eat |
4321 | Can eat |
9999 | null (default to can't eat & smell) |
(This is where group permission could probably help when dealing with thousand of users… while creating a duplicating mess)
It doesn't implement the conditions
from UFV3, but at the same time it probably won't be necessary anymore... Unless someone wants to implement the "per field" permission. It could still be done, but you would need a auth_options
per field.