1

I'm about to develop a management web app with Laravel.

I need that my users have different roles with different permission.

In details: some users can add customers, some users can write pieces of a paper related to the customer, some other users can just read that paper and some other users can read just some pieces of that paper.

So I decided to use an RBAC approach in order to gain a certain flexibility. I'll use this DB schema (just an example schema, but represent the needings of my application):

dbexample

My answer is: since there is a direct relationship between users and paper, customer, attachs etc., how are RBAC rules expressed? I have to check user's permission in frontend when he request an operation or a resource? Or there are ways to express this rules even at backend level? Maybe using some GRANT options?

Hope sby can help. Thank you!

Federico Arona
  • 125
  • 1
  • 13
  • You have to check , if you want to add users to your database and if the privileges, that you can grant per user, are sufficient. But i believe that you should do this client site – nbk Nov 02 '19 at 13:38
  • Well a long way around to keep it all on the MySQL side ... with a permission table, function which check that permission table and view with check option it can also work offcource.. -> https://mariadb.com/resources/blog/protect-your-data-row-level-security-in-mariadb-10-0/ ... – Raymond Nijland Nov 02 '19 at 13:42
  • @RaymondNijland I think that row level security isn't what I need. Let's make an example: - I have three groups: "admin", "assistants" and "workers" - One admin can add a new customer and write everything he wants on a paper. - One "assistant" can write just paper part 1. - One worker can write just paper part 2. Anyway any admin and any assistant can see everything on the paper, while the workers can see just paper part 2 of any paper. But any "worker" can see paper part 2, not just the worker that wrote it. So the policies are applied to the table, not to the single row. – Federico Arona Nov 02 '19 at 13:51
  • *"I think that row level security isn't what I need."* Yes fair enough did you check that last link that looks a more bit like a Role Based Access Control system with bitmasks.. Anyhow you can use that method as more suitable role based system (more record based for your groups instead of masks) if you modify the SQL code... – Raymond Nijland Nov 02 '19 at 13:52
  • ... But all is geussing work here which you might need.. See [how to ask](https://stackoverflow.com/help/how-to-ask) and see [Why should I provide a Minimal Reproducible Example for a very simple SQL query?](https://meta.stackoverflow.com/questions/333952/why-should-i-provide-a-minimal-reproducible-example-for-a-very-simple-sql-query) they we have a better understanding about the data and your user case.. But like @nbk already said this is most likely better and more easy handled by the application.. – Raymond Nijland Nov 02 '19 at 13:57
  • 1
    Well yes, the last link seems very near to what I need. I'll give it a try. – Federico Arona Nov 02 '19 at 13:57
  • Ok, I will give more details if I find that the last solution isn't suitable for me. I'm really sorry that my question is unclear, is my first approach to web app development outside of university so I'm a bit at the beginning – Federico Arona Nov 02 '19 at 14:00
  • *"Well yes, the last link seems very near to what I need. I'll give it a try."* Maybe you need a combination and use a Role Based Access Control system with a bitmask aswell.. As you said one admin, assistant and worker that suggests a bitmask on top of it aswell and you used any later that suggests group based Role Based Access Control .. But that might be a misinterpretation off your example as it most likely means record locking so that other which also has permissions on the record cant modity the record before the other is finished.. – Raymond Nijland Nov 02 '19 at 14:06
  • you can use ACL for role permission – VIKAS KATARIYA Nov 02 '19 at 16:22

1 Answers1

2

I would recommend using one of the RBAC packages already available to you, there are a few out there but a couple noteworthy mentions include:

You define roles such as User and Customer, permissions such as can-write-paper, can-read-paper and assign them to either roles or individual users depending on your use case.

Peppermintology
  • 9,343
  • 3
  • 27
  • 51
  • This seems very useful. I'll give it a try and let you know! Thank you – Federico Arona Nov 02 '19 at 14:17
  • I'm marking this as correct answer since Laratrust was exactly what I needed for my scope. Anyway I will probably add a "RoleLevel" to each table in order to control Insert, Delete etc even on backend. – Federico Arona Nov 08 '19 at 13:27
  • @FedericoArona - Glad it is working for you. What do you mean `RoleLevel` to control `insert` and `delete` operations? That sounds like a `permission` to me. – Peppermintology Nov 08 '19 at 15:47
  • You can also use Casbin for RBAC: https://github.com/php-casbin/laravel-authz – hsluoyz Mar 13 '21 at 02:09