Javascript – Permission system using PHP and JS

javascriptpermissionsPHProles

I'm developing an admin dashboard with different areas, where different users may have different permissions. For example:

  • News
    • John: edit, view, add, remove;
    • Carlos: edit, view;
    • Mario: –;
  • Support
    • John: view;
    • Carlos: edit, view;
    • Mario: edit, view, add, remove;

The way I control this permission is via JSON array, containing each area and list of permission. I save this in my MySql database (serializing first) and also on the localStorage. This way I can check on the frontend but also make a final validation on the server side, via PHP.

JSON example:

{
    "area": "news",
    "permission": [
        {"field": "access", "value": true},
        {"field": "read", "value": true},
        {"field": "edit", "value": true},
        {"field": "add", "value": true},
        {"field": "remove", "value": true}
    ]
},
{
    "area": "support",
    "permission": [
        {"field": "access", "value": true},
        {"field": "read", "value": true},
        {"field": "edit", "value": false},
        {"field": "add", "value": false},
        {"field": "remove", "value": false}
    ]
},
...

I'm with doubts about this system because, first, I never did anything like this and didn't found any example, so I don't know if this is the proper way to do this. Also, I'm storing this as JSON because there are admin users who need to edit (with checkbox) this permissions, so it's easier to display this on the frontend.

But I'm very open to change this method based on other criterias you think it's better. I just want to have it security first and also easy to maintain.

Best Answer

Disclaimer: I am by not way an expert on these kind of matters, I'm just sharing how me and my senior are doing our current project.

Database:

Your design looks solid enough, but I would think about how I would hold these permissions in a table.

lets say we have a users table

user_id | name | password
-------------------------
      0 | John |     ****

I can see 2 possible ways you would extend our database to hold these permissions.

You can add permission columns that tell what each user can do 

user_id | name | password| perm1 | perm2 | ... |permn
------------------------------------------------------
      0 | John |     ****|     Y |     N |     |    Y

That will entail having a lot of columns and a messy design. on the plus side you will have the granularity to dictate exactly what one can and cannot do.

You can however add the concept of roles to your design.

You can make a roles table, define the types of user roles (and the kind of permissions they provide) in your application and just give each user a role

user_id | name | password|  role_id
-----------------------------------
      0 | John |     ****|        1

And the roles table

role_id | role_name  | perm1 |....| permn
----------------------------------------
      0 | Admin      |     Y |    |    Y
      1 | Regular    |     N |    |    Y

This way you create a separation of concerns for your users table, instead of placing all your user data into one table that may grow over time (handling dozens of columns in a table is no fun), you can place separate relevant user data across multiple tables. it will also keep your queries short.

(This is similar to how Java web applications provide privileges/permissions to users)

PHP:

For your client view, you can hold a session object that describes the current user, you can use the role value to tell your php scripts what parts of your templates you want to generate for your user.

Example (blade):

@if (user($role) === 'admin')
    <button id="dontclickme">History eraser button</button>
@endif
Related Topic