0

In a Laravel application I have users, roles and permissions. Roles are attached to users, and permissions are attached to roles.

Users:

id | name   | email
______________________
1  | saba   | saba@gmail.com
2  | nika   | nika@gmail.com
3  | gio    | gio@gmail.com

Roles:

id | name  
______________________
1  | Admin   
2  | Client   
3  | Service_provider

Permissions:

id | name  
______________________
1  | add_admin   
2  | delete_admin   
3  | approve_order
4  | delete_order

User_roles:

id | user_id | role_id
______________________
1  | 1       | 1
2  | 2       | 2

Role_permissions:

id | role_id | permission_id
____________________________
1  | 1       | 1
2  | 1       | 2
3  | 1       | 3

In this example user with id 1, is Admin and he can add_admin, delete_admin, approve_order

But I need different admins to have different permissions. In this structure if I attach admin role to user with id 2, his permissions would be the same as user with id 1 has.

I need different admins to have different permissions, different Clients to have different permissions.

There is a little scenario:

Imagine there is a two user A and B, they want to register as clients, so when they register I will attach Client roles to them. They have same permissions, but if user A will upload his documents I need to attach new permission to user A, but not user B.

My solution is to create a new table where I attach permission to users

User_permissions:

Id | user_id | permission_id
____________________________
1  | 1       | 4

So user's all permissions will be his role's permissions + permissions from table I described above

I need to decide whether this solution is good or bad, or if there any other way better then this. Is there a best practice for this kind of problem?

halfer
  • 19,824
  • 17
  • 99
  • 186
Nika Kurashvili
  • 6,006
  • 8
  • 57
  • 123

3 Answers3

2

You can considering using a cumulative multi-role scheme

  1. allow each user to have an ordered list of roles.

  2. create custom roles for every user needing a special set of permissions.

  3. allow roles to both grant and withdraw permissions.

Suppose Ann and Beatrice are both admins, but Beatrice may not delete orders. Suppose Catherine is not an admin, but has the right to add admins.

When you might have these roles set up:

    Admin:  grant approve_order  grant delete_order  grant add_admin  grant delete_admin     
 Beatrice:  withdraw delete_order
Catherine:  grant add_admin

Then Anna has the Admin role. Beatrice has the Admin role and her personal Beatrice role. Catherine has her personal role.

Experience has taught me that such a system is very flexible, but still simple enough to handle standard user configurations easily for many users. BUT, it is hard to audit -- hard to figure out who among your customized users has what privileges. If you use the system for several years, it can be very confusing.

O. Jones
  • 103,626
  • 17
  • 118
  • 172
  • Agreed, a multi-role scheme fits this problem. If `Admin` A needs to be able to upload documents, create a new role `DocumentUploader`, and assign both roles `Admin` and `DocumentUploader` to A. – Augusto Moura May 28 '22 at 01:42
0

good question ... you can make new role to another client with different permissions without create new table User_permissions

yousef ahmed
  • 1
  • 1
0

You can consider a template scheme. Create template users for each role, with the list of permissions needed.

Then when adding new users, choose the correct role template, and assign the user the same permissions as the template. If they need extra permissions grant them.

This is simple. But updating a template doesn't update the permissions for the previously existing users made from that template.

O. Jones
  • 103,626
  • 17
  • 118
  • 172