Here is a few ideas I have been playing with:
We have a permissions cascade, senior_admin creates group_admins who create
users
accounts are 'owned' by users who are 'owned' by group_admin(s) who are
'owned' by senior_admin
These 3 control who gets to see what
We (as senior_admin) want to allow certain privileges to some
group_admins/users, eg who gets to *do* what
This could go in config.php
# define some constants, easier than remembering numbers ;-)
define("ALLOW_LOGIN", "1");
define("ADD_DOMAIN", "2");
define("ADD_RECORD", "3");
define("ADD_ACCOUNT", "4");
define("ADD_DEFAULT_RECORD", "5");
define("EDIT_DOMAIN", "6");
define("EDIT_RECORD", "7");
define("EDIT_ACCOUNT", "8");
define("EDIT_DEFAULT_RECORD", "9");
define("DELETE_DOMAIN", "10");
define("DELETE_RECORD", "11");
define("DELETE_ACCOUNT", "12");
define("DELETE_DEFAULT_RECORD", "13");
define("COMMIT_DOMAIN", "14");
define("COMMIT_RECORD", "15");
define("COMMIT_ACCOUNT", "16");
define("COMMIT_DEFAULT_RECORD", "17");
# default permissions array
$defaultpermissioninfo = array(
"user"=>array
(
ALLOW_LOGIN
),
"group_admin"=>array
(
ALLOW_LOGIN,
ADD_DOMAIN,
ADD_RECORD,
ADD_ACCOUNT,
ADD_DEFAULT_RECORD,
EDIT_DOMAIN,
EDIT_RECORD,
EDIT_ACCOUNT,
EDIT_DEFAULT_RECORD,
DELETE_DOMAIN,
DELETE_RECORD,
DELETE_ACCOUNT,
DELETE_DEFAULT_RECORD
),
"senior_admin"=>array
(
ALLOW_LOGIN,
ADD_DOMAIN,
ADD_RECORD,
ADD_ACCOUNT,
ADD_DEFAULT_RECORD,
EDIT_DOMAIN,
EDIT_RECORD,
EDIT_ACCOUNT,
EDIT_DEFAULT_RECORD,
DELETE_DOMAIN,
DELETE_RECORD,
DELETE_ACCOUNT,
DELETE_DEFAULT_RECORD,
COMMIT_DOMAIN,
COMMIT_RECORD,
COMMIT_ACCOUNT,
COMMIT_DEFAULT_RECORD
)
);
Then create some more tables:
# list of permissions
CREATE TABLE permission (
ID int(11) NOT NULL auto_increment,
Name varchar(255) default NULL,
PRIMARY KEY (ID)
) TYPE=MyISAM;
INSERT INTO permission VALUES (1, 'Allow Login');
INSERT INTO permission VALUES (2, 'Add Domain');
INSERT INTO permission VALUES (3, 'Add Record');
INSERT INTO permission VALUES (4, 'Add Account');
INSERT INTO permission VALUES (5, 'Add Default Record');
INSERT INTO permission VALUES (6, 'Edit Domain');
INSERT INTO permission VALUES (7, 'Edit Record');
INSERT INTO permission VALUES (8, 'Edit Account');
INSERT INTO permission VALUES (9, 'Edit Default Record');
INSERT INTO permission VALUES (10, 'Delete Domain');
INSERT INTO permission VALUES (11, 'Delete Record');
INSERT INTO permission VALUES (12, 'Delete Account');
INSERT INTO permission VALUES (13, 'Delete Default Record');
INSERT INTO permission VALUES (14, 'Commit Domain');
INSERT INTO permission VALUES (15, 'Commit Record');
INSERT INTO permission VALUES (16, 'Commit Account');
INSERT INTO permission VALUES (17, 'Commit Default Record');
# table to hold who gets what
CREATE TABLE user_permission (
User int(11) default NULL,
Permission int(11) default NULL
) TYPE=MyISAM;
# give all to senior_admin by default
INSERT INTO user_permission VALUES (1, 1);
INSERT INTO user_permission VALUES (1, 2);
INSERT INTO user_permission VALUES (1, 3);
INSERT INTO user_permission VALUES (1, 4);
INSERT INTO user_permission VALUES (1, 5);
INSERT INTO user_permission VALUES (1, 6);
INSERT INTO user_permission VALUES (1, 7);
INSERT INTO user_permission VALUES (1, 8);
INSERT INTO user_permission VALUES (1, 9);
INSERT INTO user_permission VALUES (1, 10);
INSERT INTO user_permission VALUES (1, 11);
INSERT INTO user_permission VALUES (1, 12);
INSERT INTO user_permission VALUES (1, 13);
INSERT INTO user_permission VALUES (1, 14);
INSERT INTO user_permission VALUES (1, 15);
INSERT INTO user_permission VALUES (1, 16);
INSERT INTO user_permission VALUES (1, 17);
a function for functions.php
# get user permissions
function get_user_perms($id) {
# get permissions for this login
$q = "SELECT Permission FROM user_permission WHERE User='$id'";
$result = mysql_query($q) or die(mysql_error() . " $q");
$out = array();
while ($row = mysql_fetch_array($result)) {
$out[$row['Permission']] = TRUE;
}
return $out;
}
The above function could be used to create an array
$user_perms_info = get_user_perms($user_info['cid']);
I also would like to propose creating some tables to store pending changes, eg
pending_records, pending_domains, pending_accounts and
pending_user_permissions
Then someone can add/edit/delete things without the original being lost, and
the changes applied by someone having COMMIT_* privileges, once the changes
have been checked for sensible values
So if we want to check if the current login had permission to say edit a
record
if( $user_perms_info[EDIT_RECORD] ) {
# show the edit form
}
else {
# do not have permission etc
}
and when it comes to writing to the db
if( $user_perms_info[COMMIT_RECORD] ) {
# write to records
}
else {
# put the proposed changes into pending_records
}
This would require changes in records.php, domains.php and accounts.php as
well as their templates, and the account_form.php to add the new privileges
The main page, currently unused, could display any work pending, with links to
edit the requested changes and commit them.
Comments of course welcome.
--
-----------------
Bob Hutchinson
Midwales dot com
-----------------
