How do you properly void a permission when using Bitwise Permissions?

Alright, Here's the gist of what I'm planning to do.

I'm going to have two tables. One with "ranks" or "roles" and one with users. I want to assign permissions on a role/user basis and retract permissions on a user basis.

So, just for general purposes lets say that we have $role_can $user_can and $user_cant

I know that for specifying which purposes, we can use bitwise OR. $permi开发者_运维问答ssions = ($role_can | $user_can) and that will combine the two.

Now, I want to be able to retract certain permissions after that. This is NORMALLY done using a bitwise XOR, but I want to make it idiot proof. In other words, I don't want to accidentally give them access to a permission by excluding a permission they don't already own.

What is the best way to do this?

Traditionally (($role_can | $user_can) ^ $user_cant) - but it won't work for the idiot proofing.

I'm still pretty new to bit operations, so go easy on me if the answer is obvious.

I'm using PHP, but an acceptable answer can be in any language / pseudo-code so long as it works and is easily understood.

Thanks.

You can use the bitwise "not" operator.

(($role_can | $user_can) & ~$user_cant)