I'm developing an administrative panel where I have some users and they should have different permissions levels.
At the same time, it should be something "dynamic" for control of basic actions, such as: reading, editing, adding, and removing. And that is segmented by area.
For example:
Users
- Joao - Administrator
- Carlos - Attendant
Area
- News:
- John: Full Control
- Carlos: Full Control
- Support
- John: Full Control
- Carlos: Read, Modify
This control must be stored in the database ( MySql & PHP ) so that there is permission control also in the backend . To achieve this goal, I thought of 2 modes, but I do not know the advantages of using one or the other.
Model 1
Create a permissions management table, for example:
id(PK) | id_usuario(int) | area(string) | permissao(string)
1 | 12 | noticia | tudo
2 | 14 | noticia | ler
3 | 14 | noticia | editar
So, for each area and each desired action, simply insert or remove a new record in the bank.
Model 2
Create only one more field in the users table, e.x. permissao and save an object in JSON for future validation. Being something like this:
permissao: {
noticia: {
ler: true,
editar: true,
adicionar: true,
remover: false
},
suporte: {
ler: true,
editar: false,
adicionar: false,
remover: false
}
}
And to enter in the database, just use serialize of PHP.
The second method seems to me to be more convenient because it makes it easier to use in frontend and seems to be better manageable even for backend .
But since I have not developed anything like this before, I do not know if I'm ignoring some important point, since this involves information security, since I need to manage which users control certain areas.
I can (and probably will also be) use another field to allow access to that area, e.x. acesso: true to allow the user to access a page before checking to see if you can edit the content.