I'm currently building a complex AngularJS based front-end website. The backend is powered with PHP and MySQL.
I have 2 questions, both regarding user privileges.
How will you design the db schema for storing the user privileges? In the future I'll want to add pre-defined privileges (several sets) and use them as free/premium account types.
How will you manage those privileges in the front-end? When will you fetch/re-fetch the privileges? How will you check them on each methods that requires privileges?
I'm looking for a smart solution that won't limit me in the number of privileges I can define but will also provide a default set of basic privileges if nothing is defined.
About the SQL implementation
The privileges should apply on all users in a specific company.
the db schema is something like this:
- companies (company_id, etc)
- users (user_id, company_id, etc)
From what I understand the privileges schema should look like this:
- privileges(prev_id, prev_name)
- companies_privileges(company_id, prev_id)
User privileges handling
when a user logs in the company privileges are stored with the cookie/session/front-end service.
To verify on the frond-end i use a directive that compares the current user privileges against the required privilege:
data-privilege required=1 user=1
As to the backend part, I'm currently sending a user-token with each request to the server. This token is verified against the database. I can use this to get the user privileges and store them, than check if user can access/use a certain feature.
Besides adding true/false privileges I need support for numerical privileges,
for example: Limit the number of viewable items in a certain list.
Am I thinking right? Am I missing something?
Requirements
- Unlimited privileges per company
- Default privileges should apply on all companies