我建议在数据库中创建一系列用户组,每个用户组都有一个或多个用户帐户级别,然后将整数作为分层值分配给组,然后对个人帐户进行相同操作组内的水平,这样的事情(这是一个关系结构,使用InnoDB):
table: account_groups (Broader account groupings)
Fields:
-id_key - primary key, auto number
-group - unique index
-parent - index, foreign key=account_groups.group (this allows you to create group trees, so you can specify that a county group belongs to a state, and a municipality belongs to a county group, etc.)
-group_hierarchy - integer (0 is highest permission group, each subsequent one step lower)
table: account_levels (Account levels within a group)
Fields:
-id_key - primary key, auto number
-account_level - unique index
-group - index, foreign key=account_groups.group
-account_heirarchy - integer (same as other table but denotes heirarchy within the group
table: user_accounts (Individual user accounts)
Fields:
-id_key - primary key, auto number
-account_id - unique index, user account name
-account_level - index, foreign key=account_levels.account_level
table: user_groups (denotes which tree(s) the user has access to)
Fields:
-id_key - primary key, auto number
-account_id - index, foreign key=user_accounts.account_id
-group - index, foreign key=account_groups.group
再来说权限:
table: permissions (directory of permissions that could be applied)
Fields:
-id_key - primary key, auto number
-permission - unique index, permission identifier
-other stuff you need associated with the individual permissions, based on how you want them to hook into your program
table: permissions_group_permissions (permissions applied at group level)
Fields:
-id_key - primary key, auto number
-group - index, foreign key=account_groups.group
-permission - index, foreign key= permissions.permission
table: permissions_account_permissions (permissions applied at account level)
Fields:
-id_key - primary key, auto number
-account_type - index, foreign key=account_levels.account_level
-permission - index, foreign key=permissions.permission
table: permissions_individual_permissions (permissions applied to individual accounts, if neccessary)
Fields:
-id_key - primary key, auto number
-account_id - index, foreign key=user_accounts.account_id
-permission - index, foreign key=permissions.permission
-allow_or_deny - boolean (TRUE means permission is granted, FALSE means permission if revoked. This allows you to fine tune individual accounts, either granting custom elevated permissions, or revoking individual permissions for troublesome accounts without demoting them from the group. This can be useful in some special circumstances)
-expiration - timestamp (allows you to set expiration dates for permissions, like if you want to temporarily suspend a specific action. Programmatically set default value of 00/00/00 00:00:00 as indefinite. You can do this at the account and group levels too by adding this field to those tables.)
然后可以使用PHP通过对权限进行迭代由fi个人帐户首先获取与帐户级别相关联的组,然后按分层次序对每个后续组进行排列,然后从当前组中的当前帐户级别迭代当前组的层级顺序(作为多维阵列添加到组数组)到组内最后一个现有帐户级别。接下来,您将获取每个后续组的所有帐户级别,最后为已添加到阵列的每个帐户级别获取所有关联权限。如果您实现了单独的用户权限,那么您需要在权限数组中添加单独应用的权限,最后从阵列中删除allow_or_deny字段设置为FALSE的任何权限。如果用户需要访问多个树,则可以向account_groups表中添加一条记录,以匹配其帐户ID,表示他们访问的树的最高级别是什么,然后遍历树中所有后续组。要向该帐户授予所有适用的权限,请从user_groups获取account_id的所有组关联,然后为每个树运行先前描述的过程。如果他们只能访问一棵树,则甚至不需要使用user_groups表。
an example of how the structure fits your model:
group: USA, hierarchy = 0
group: California, parent-> USA, hierarchy = 1
group: Los Angeles, parent->California, hierarchy = 2
group: Texas, parent->USA, hierarchy = 1
group: Dallas, parent->Texas, hierarchy = 2
美国组的成员可以访问所有内容。加州的成员可以访问所有后续组在加利福尼亚州的层次结构,而不是团体得克萨斯州,即使它们具有相同层次值(因为它们是不同的家长分支机构)
account levels:
admin, hierarchy=0
manager, hierarchy=1
analyst, hierarchy=2
staff member, hierarchy=3
每个帐户级别都有所有的每个后续帐户级别的权限。
user accounts:
Bob, manager (likes to spam junk email to everyone)
您仍然可以通过将电子邮件权限permissions_individual_permissions并设置allow_or_deny值设置为FALSE撤销鲍勃电子邮件的权限。这可以让您阻止Bob发送垃圾邮件,而不会将他从管理中降级。
example PHP array:
$account=array(
groups=>array(), //Step 1: array_push each group the account is a member of here. Repeat for each tree from user_groups.
account_levels=>array(), //Step 2: loop through $account[groups], array_push each level here
permissions=>array(), //Step 3: loop through $account[account_levels], array_push each permission here. Then do the same for individual permissions applied to the account
restrictions=>array() //Step 4: loop through individual permissions where allow_or_deny=FALSE, array_push here (do the same for group and account level if you implemented restrictions for those tables as well). Tell your program to ignore permissions from this array, even if the account would otherwise have them.
);
此外,这将允许您为不同的树设置不同的权限级别,因此单个用户可以在一棵树中访问状态,但只能在另一棵树中访问市级。 – mopsyd