I need to add user roles and permission system into my web application built using PHP/MySQL. I want to have this functionality:
- One root user can create sub-roots, groups, rules and normal users( all privileges) .
- Sub-roots can create only rules, permissions and users for his/her own group ( no groups).
- A user can access either content created by him or his group, based on the permission assigned to him, by group root.
I need the system to be flexible enough, so that new roles and permissions are assigned to content.
I have a users table storing group key along with other information. Currently I am using two feilds in each content table i.e. createdBy and CreatedByGroup, and using that as the point whether a certain user has permissions. But its not flexible enough, because for every new content, I have to go throug all data updates and permission updates. Please help me by discussing your best practices for schema design.
The pattern that suits your needs is called role-based access control.
There are several good implementations in PHP, including Zend_Acl (good documenation), phpGACL and TinyACL. Most frameworks also have their own implementations of an ACL in some form.
Even if you choose to roll your own, it’ll help you to review well factored solutions such as those.