where/how to put a class to control what a user can do (privileges)?
I am using a class that performs the right query based on $_POST['action'].. Example:
class data { //>pseudocode
__constructor(){
if ($_POST['action']=='insert')
mysql_query("INSERT ..");
else if ($_POST['action']=='edit')
mysql_query("UPDATE ..");
}
}
Now of course I would like to prevent an user doing something that he can't do.. for example editing a post of someone else, or somethi开发者_JS百科ng more complicated like he can edit his post only if they are not yet published. Once the post is published he can't edit anymore (or maybe something based on time)
How would you add this checks in my class data
? I once heard about Zend_ACL is that something that can work for this case?
Edit: I would avoid using database for storing privileges
Edit2: I would like to do this: every users got a "level", level = 1 means you are admin, level = 2 means you are an editor, level 3 = means you are a simple user.
So at each level corrisponds some privileges. Now Where should i put these information ?
ty
you have to set flag
in your table, and then check for that flags ..and according to that u can develop access layers
mainly your tables must have these fields
post_id(PK) | post_by(user_id of the post owner) |is_published(ENUM (Y,N))
now check followings at the editing of that post
first that current logged is user id and post_by id is same or not
- if yes then check that is_published is set to
Y
orN
- if
N
then dont allow to edit - if
Y
then allow to edit
- if
- if yes then check that is_published is set to
Your pseudocode looks too simple for me. Doing everything in the constructor? Or how to translate it?
IMO first you need to define your needs. Which tasks are permitted and which are not? When you have the outline you have the solution too.
精彩评论