Basic php mysql user management (User management in cakephp)

[sathyashrayan]

Dear group,
I am working on a project management tool.I have this simple problem
but i could not get an correct solution. I have a user table that
belongs to a role (group). The role table is dynamic and tree in
nature. I could be editable and deletable. Each roles's id is inserted
in a user table as FK key. Now I have a situation where each roles
need to be an multiselect option which should be separate. So i need
an if-else-if. But what to be checked as an condition where all the
roles are dynamic, including ID and name?

My situation is a project management system where each user belongs
to an roles such as super admin, developer, tester ect. Nothing is
static..

I saw druapl, joomla database. They have users, roles, and a mapping
table roles_users table. Is that what i got to do on this situation?
But my project is a tool that has different database for each end-
user. There is no initial level of user at the starting. This project
is in cakephp. Any help?

[Gordon Burditt]

> I am working on a project management tool.I have this simple problem

My idea of a project management tool is one which most every person
working on a project will use (or at least every manager working
on the project), to report status on what progress is being made,
track deadlines, and get their assignments. It goes far beyond
just making Gantt charts for use in meetings. If I have misunderstood,
I need more details on what your tool does.

> but i could not get an correct solution. I have a user table that
> belongs to a role (group). The role table is dynamic and tree in
> nature. I could be editable and deletable. Each roles's id is inserted
> in a user table as FK key. Now I have a situation where each roles
> need to be an multiselect option which should be separate. So i need
> an if-else-if. But what to be checked as an condition where all the
> roles are dynamic, including ID and name?

The user has to present *SOMETHING* as identification when s/he
logs in, starts a session, or whatever. What is it? A retinal eye
pattern? A thumbprint? A user name and password? Swiping his
employee ID smart card? That can't be so dynamic that it's generated
at the start of a session. It probably corresponds to a single
person. The user might log in to one project at a time. If OS
logins exist for each person, perhaps you could leverage this and
use the OS definition of "user".

Another thing that can't be very dynamic is the basics of the
privileges themselves. Somehow it's got to come down to a base
privilege, like "Can enter men's restroom on the 4th floor". If
you have that privilege, you can enter the men's restroom on the
4th floor, otherwise you can't (some systems might want to break
down the privilege by time, so you can enter only during specific
hours). There is nothing dynamic about this. Roles can assign the
privilege to cleaning staff and male employees on the 4th floor,
but you can't redefine the basic privilege of "Can enter men's
restroom on the 4th floor" to include use of missile launch codes.
Granted, you could have roles and individual privileges assign the
"can use missile launch codes" privilege to the same people as the
"Can enter men's restroom on the 4th floor" if you like.

You might find it reasonable to combine privileges like "Can enter
men's restroom on the 4th floor" and "Can exit men's restroom on
the 4th floor" if you are sure that they will be assigned to the
same people. Beware, though, that denying exit privileges to
the guy that fell through the floor above or firefighters that
came in through the wall may get you in legal trouble.

For a project management setup, privileges might include "can
create a new project", "can add new tasks to an existing project",
"can change due dates for a specific task", "can post updated
status on a task", and "can assign a task to a specific employee".
Some of these might depend on your relationship to a given item,
for example, "can change due dates for a specific task I manage",
"can change due dates for a specific task I am assigned" or
"can change due dates for a task I am unrelated to".

What enforces the rules? MySQL by itself doesn't have roles. It
is common for a web app to have its own MySQL login which pretty
much controls the database it's using (read/write but maybe not
schema changes) and the web app implements a type of user that is
a creature of the web app itself (there need not be a corresponding
MySQL or OS user) and it enforces its own rules.

> My situation is a project management system where each user belongs
> to an roles such as super admin, developer, tester ect. Nothing is
> static..

Somewhere you've gotta have code that says: to perform this action,
(say, "flush toilet in stall #3 in the 4th floor men's room during
first shift" or "mark a task in a project complete") you need *THIS*
privilege, and if the roles & such assign you that privilege, you
can do it, otherwise, you can't. This privilege is not dynamic,
although who has it may be.

> I saw druapl, joomla database. They have users, roles, and a mapping
> table roles_users table. Is that what i got to do on this situation?

Somehow you need to map the current user to a set of privileges
that he does and doesn't have. If that involves roles as an
intermediate step, fine. Note that it is possible to have multiple
intermediate steps, say, roles (manager, developer, tester),
departments (the web site, shipping, purchasing, accounting, etc.),
and jobsites (New York, Paris, Peking), and you may get privileges
for the rest rooms on your jobsite, and your role may only give you
privileges for projects in the same department as you are.

The set of privileges that exist (and might be assigned to a user)
is probably not going to be that dynamic (since you need code to
enforce access). "Create a new project" might be one. Chances are
you are not going to be able to add "Create a new country" privilege
by just updating tables. Once there *IS* a "create a new country"
privilege, you can assign it to people by just updating tables.

> But my project is a tool that has different database for each end-
> user. There is no initial level of user at the starting. This project
> is in cakephp. Any help?

It would seem difficult to maintain a project management database
if the manager running the project and the peon working on the
project can't share data on the status of the task the peon is
working on for the project. One database for each project and one
database for the administrative stuff (users, roles, privileges,
etc.) might be appropriate. Or maybe it's one database for
the whole thing, with a set of tables for each project, and a set
of tables for the users/roles/privileges. Or perhaps different
projects are merged in the same tables with rows with different
project IDs.