Menu
▾
▴
Re: [Tsheetx-developers] security model
|
From: Mark W. <ma...@rw...> - 2011-02-16 18:40:22
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<title></title>
</head>
<body text="#000000" bgcolor="#ffffff">
Hi Scott, <br>
<br>
Agreed that the authentication model needs an update. I have
already done half the work required to do exactly this.<br>
In the code you will see an include/auth/auth.class.php which is
currently a stub class waiting to have some more code added in.<br>
(the code is already written, i didn't want to change it until there
was a robust way of sending database updates to developers).<br>
<br>
The way it works is<br>
<br>
a table of users<br>
a table of user groups<br>
a table assigning users to usergroups<br>
a table of privileges (i.e. monthly, viewpage, granted) more
specifically in the db('monthly', 'view','1')<br>
a table of privilege assignments that maps a privilege to individual
users or a user group.<br>
<br>
The structure is such that it is 100% expandable. The inspiration
for the structure was active directory.<br>
<br>
The only thing I haven't got as far as writing is a gui to control
the privileges. (if someone could help here maybe?)<br>
<br>
Along with the auth update is a menu system update to improve how
the menu is built. - drop down menus etc (database driven)<br>
The gui is complete for that bit.<br>
<br>
Finally I have an update for the login / logout scripts / account
management /registration / forgot password scripts. More
information to follow on that.<br>
<br>
Regards<br>
Mark<br>
<br>
<br>
<pre class="moz-signature" cols="72">_____________________________________________
Mob: 07725 695178
Email: <a class="moz-txt-link-abbreviated" href="mailto:ma...@rw...">ma...@rw...</a></pre>
<br>
On 16/02/2011 16:58, Scott Miller wrote:
<blockquote
cite="mid:AANLkTikVQiZwMT85hL4hB1aV370QGXrjV2kF=B7...@ma..."
type="cite">I'm preparing to work on translating the existing
config database table into our new configuration table, and when I
went to start, I realized I'd worked on creating a new security
model and thus new security tables.<br>
<br>
So, currently our security model consists of each login being give
one of 3 access levels: user, manager, administrator. Also, each
page is given one of 4 access levels: user, manager,
administrator, none. To successfully get access to a page, your
access level must be greater than or equal to the level the page
has been given.<br>
<br>
Within the database, those accesses are defined via an ENUM
mechanism, and believe it was a mistake to use enums, because if
you want to add a new level, you have to modify the database
schema. I propose to eliminate the enums, and just use raw
integer values for the page and user access levels.<br>
<br>
2ndly I propose to take the page security definitions out of the
configuration table completely, and create a new page security
table. The security table would have the page name and the
default access, and I was intending to add a field to determine
whether the page name was allowed on the menu bar at all.<br>
<br>
I had also thought that it would be nice, particularly for some
reports, to allow a security exception. I envisioned this to be
per user, and another new table would be needed. username,
pagename, and an access override code. The override code was to
be 0 - no access, 1- read access, 3 - read and save access (it's a
binary bit map (save, read) - 2 would be save only, but without
read that would be rather useless). I envisioned a check in the
code for each page would query if there was an exception entry for
the username/page, and if not, normal access would be granted; if
so, the override access would be used.<br>
<br>
What do you all think about these proposals?<br>
<br>
-Scott<br>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
<a class="moz-txt-link-freetext" href="http://p.sf.net/sfu/intel-dev2devfeb">http://p.sf.net/sfu/intel-dev2devfeb</a></pre>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Tsheetx-developers mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Tsh...@li...">Tsh...@li...</a>
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/tsheetx-developers">https://lists.sourceforge.net/lists/listinfo/tsheetx-developers</a>
</pre>
</blockquote>
</body>
</html>
|
