Hi, I'm currently using the Auth package in one of my projects. I have several permissions assigned to different groups. However now I'd like to specify som of the permissions to one user. What is the final array of permissions if group (in table users_group_permissions) has permissions [1,2,3,4], but user (in table users_user_permissions) has only [5]?
Permissions are cumulated, so in this case the user has permissions [1,2,3,4] because of group membership, and [5] because of direct assignment, so the effective permissions for this user are [1,2,3,4,5].
If you don't want that, you need to specifically revoke rights, which you can only do through roles.
But I would suggest to revise your permission system. If a user is a member of a group but is not allowed to have the permissions assigned to that group, there's something wrong in your permission system.
Ideally you should use groups only for what they are meant: to group together users that are otherwise unrelated, like "Members" or "Employees", and use roles to assign permissions. A user needs permissions to do something, and that something is a role this user performs. Like "Moderator", "Project Manager" or "Paymaster".
Donate
