I am currently working on an app where I have at least 7 roles. I want
to control all the permissions available for each role. Right now I
have a users table, roles table and a joined table user_roles. I have
3 ideas in mind and will like to hear your opinion on both of them
(and suggestions for better solutions).
The first one is having a models table that contains the following
and a joined table model_roles:
id role_id model_id Permission
1 1 1 15
2 3 3 2
The permission column will be a 4-bit number, each bit representing a
CRUD operation, for example:
0010 = 2
Meaning that the user with role_id 3 can only make updates on the Post
model. The only problem I have found with this approach is that there
might be other actions apart from the CRUD ones.
The other idea is an aro - aco based one (like the way CakePHP handles
having a table with all the possible actions and another one
establishing a relationship between role and the action
the problem with this approach is that it will be a pain to keep these
tables updated along with the permissions.
The other idea is to have an actions table that will contain the name
of a controller and a action
id controller_name action_name
1 events new
and finally a roles_actions table
id role_id action_id
1 1 2
The idea will be to query if the current_user can do an action on a
specific controller. The problem with this approach is that there will
be constant querying on the roles and roles_actions table every time a
user tries to access any action on the app.
Anyone has ideas on how to diminish this? Maybe uploading permissions
and rights for roles on a class on memory, uploading the permissions
for a specific controller on a session (security problems?).
Any ideas or suggestions for of these, or better solutions?