douzhan2027 2013-11-03 15:28
浏览 95
已采纳

使用PHP + MySQL后端的JS(Angular)前端用户权限

I'm currently building a complex AngularJS based front-end website. The backend is powered with PHP and MySQL.

I have 2 questions, both regarding user privileges.

  1. How will you design the db schema for storing the user privileges? In the future I'll want to add pre-defined privileges (several sets) and use them as free/premium account types.

  2. How will you manage those privileges in the front-end? When will you fetch/re-fetch the privileges? How will you check them on each methods that requires privileges?

I'm looking for a smart solution that won't limit me in the number of privileges I can define but will also provide a default set of basic privileges if nothing is defined.

About the SQL implementation
The privileges should apply on all users in a specific company.
the db schema is something like this:

  • companies (company_id, etc)
  • users (user_id, company_id, etc)

From what I understand the privileges schema should look like this:

  • privileges(prev_id, prev_name)
  • companies_privileges(company_id, prev_id)

User privileges handling
when a user logs in the company privileges are stored with the cookie/session/front-end service.

To verify on the frond-end i use a directive that compares the current user privileges against the required privilege:

data-privilege required=1 user=1

As to the backend part, I'm currently sending a user-token with each request to the server. This token is verified against the database. I can use this to get the user privileges and store them, than check if user can access/use a certain feature.

Besides adding true/false privileges I need support for numerical privileges,
for example: Limit the number of viewable items in a certain list.

Am I thinking right? Am I missing something?

Requirements
- Unlimited privileges per company
- Default privileges should apply on all companies

  • 写回答

2条回答 默认 最新

  • duanhan9479 2013-11-03 16:06
    关注

    A quick answer:

    1. i designed and implemented a sophisticated privilege mechanism that was role-based, verb-per-object, with inheritance. It was rather powerful and was the basis for numerous features in the whole system. Difference between free and premium users was among the requirement, and it got covered perfectly. So this is a direction you may want to follow. It goes without saying that this is server-side logic.

    2. Back then, there was no angular, but generally, in Angular, it is best to do the following: A. have a service that mainly exposes a single call: isAuthorized(privilege-name). B. Have a directive ("needPrivilege='privilege-name') that uses that service and show/hide/disable according to its boolean result. It goes without saying that it uses the isAuthorized. C. Add a logic to the routing that uses that service as well, for limiting access to pages in the UI.

    That's my two cents...

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 创建一个数据库(要创建的表和记事本的代码截图))
  • ¥15 有没有整苹果智能分拣线上图像数据
  • ¥20 有没有人会这个东西的
  • ¥15 cfx考虑调整“enforce system memory limit”参数的设置
  • ¥30 航迹分离,航迹增强,误差分析
  • ¥15 Chrome Manifest扩展引用Ajax-hook库拦截请求失败
  • ¥15 用Ros中的Topic通讯方式控制小乌龟的速度,走矩形;编写订阅器代码
  • ¥15 LLM accuracy检测
  • ¥15 pycharm添加远程解释器报错
  • ¥15 如何让子窗口鼠标滚动独立,不要传递消息给主窗口