Hey, i have the need to create user accounts with different access - Ormauth is the right stuff for this, but as i read the documentation, it's hard to understand the concept. I will try to explain my questions with examples.
So i need to create system where there are:
super-admins(full permissions)
moderators(can do everything except add new moderators)
artists(have permission to change info on 1 section)
So far i understand that i will need 2 groups - super-admins and moderators. Moderators will contain moderators and artists, because it seems logical because both do site moderation. Or am i wrong? Or i just need to create 3 groups?
Does the strength of permissions goes from the weakest groups->roles->user ?
Continuing from what i know right now i need to create 3 roles - super-admins, moderators, artists. Where super-admins will have "A" filter, aka everything, moderators will have access to everything except adding managing moderators. Artists can only manage map section of the backend.
I add all roles related to moderators group in the "users_group_table":
moderators : moderators moderators : artists
(in the table they are id according to "users_roles" and "users_groups" tables, here by name to understand illustrate better)
How do i tell if a user is an artist, if he is related to moderator group which has both roles(moderator and artist)? You do this by adding user roles manualy?
I read about the "R" filter for roles, but what does "Permissions set on this role will be removed form the aggregated permissions set." mean?
EDIT: Tips for creating a form which allows to add users with coresponding groups which is lower or equal with the group of the suer who creates them?
From the bottom up, everything starts with a permission definition. Which is defined using an 'area', a 'permission', and an optional list of possible 'actions'. These are just strings, so you can use any system that suits your application.
Permissions can be assigned to a Role, a Group or a User. A User is member of a group, and can be assigned multiple roles. At the moment mutliple groups is not supported.
For me, "admin", "moderator", "artist" are all roles, they define a task or job you have to perform (which is why you get permission). Groups are "users", "guests", "banned", etc. But you might want to use it differently.
For every user, Ormauth calculates what is called the users effective rights. It uses the following mechanism: - If the user is assigned a Role that has an 'A' filter, the user has all permissions - All assigned permissions (direct and inherited via group and roles) are accumulated - If the user is assigned one or more Roles with a 'D' filter, the permissions assigned to these roles are removed from the accumulated list
This means you can create a construction where an Admin role has the 'A' filter, but a second role has a 'D' filter that revokes access to invoices. Which means the admin may access everything, except the invoice system.
The effective rights set is cached, so if you want to know exactly what is in it, use the Cache class to read a specific user's cache file, and dump it's contents.
As for access, you don't need to know which role of group is assigned. You call Auth::has_access("blog.comments[add,edit]"), and you get true returned if the current user may add and edit (note, not or!) blog comments. From the controllers point of view it's not relevant how the user got this access (i.e. how the user got this permission).
So as i understand i need to place 'artists', 'moderators' in the moderator group and create individual database entries saying that the user which need to be an 'artist' is assign to 'artists' roles in the 'users_users_roles' table? Or should i just create a group which called 'artists'?
What about the "R" filter, ho does it work when user is assigned to multiple roles?
Whats a way to define the weight of role or group? Example admin would weight more then moderator due to more permissions and so forth.
I would not even create a 'moderator' group, as I don't see the added value of it. They are both users.
Ormauth works, as the name implies, with ORM models, so to assign a user to a role, fetch the user and the role record and relate the two. No need to fiddle with tables, ORM deals with that for you.
The roles with an 'R' filter are processed at the end, and all permissions assigned to those roles are removed from the effective rights list of the user. It doesn't matter how many roles, it only looks at the aggregated permissions list.
Say you have this: - RoleA - permission a.b[a] - permission c.d[a] - RoleB - permission a.b[b,c] - permission c.d[a,b] - RoleC - R permission a.b[b] // remove action b from permission a.b - R permission c.d[a] // remove action a from permission c.d
the effective rights of the user will be - permission a.b[a,c] - permission c.d[b]