What I want to share with you is the intermittent thinking and learning of permission management and design during this period, as well as some personal software development.
When it comes to 'authorization management and design', you may think of Jirigala in this garden at the first time. In this regard, he can be regarded as a 'big' or an expert - his 'general permission management system'. Just look at his blog and you can tell about it (it seems that I am promoting him, haha..., but in fact, is not). I dare not say anything else for now. At least it can be seen that he has studied in depth and fanaticism, and his system also has a certain degree of 'maturity'. In his words, it is trying to achieve his ultimate. What he does is a universal permission management system, so what is 'generic'? Let me talk about my personal understanding:
a. (Mainstream) database general - that is, using factory and other models, it can easily adapt to different (types) databases and ensure the portability of the software. This is the focus on database design!
b. Permission management and judgment General in ideas, same solution or implementation methods or ideas can be used in different development languages and project types (large aspects such as: b/s and c/s), such as Jiri's permission system - this aspect, general in it can be applied in web and WinForm programs developed in C# language. ——I personally think that (implementation) ideas (or solutions) are more important, just like a good shopping cart implementation idea or solution, which can be used well in projects such as php, jsp, C# and other language development. [The solution to the problem is basically irrelevant to the programming language, the difference is only implementation].
My thinking and learning about permission management and design is the main purpose of: in future project development, I can use my own ideas or (develop) the "permission management system" similar to the Jiri Brothers, and can quickly and effectively implement the permission management part in the software (I currently feel that the permission management part is quite difficult). As for learning and thinking, I am not limited to my own (empty) ideas, but also studying and researching some project cases that I feel can improve my ideas and reference, such as: Jiri's permission system, (general permission management system) FrameWork104Src, MemberShip, phpcms, ecshop, etc. - but due to time constraints, I only briefly looked at the previous two. [Thinking and learning, or research, the method I suggest is: first determine or figure out the general idea yourself, and then learn from and refer to other project cases that are the same as your research direction (preferably large-scale projects with a certain degree of 'maturity') to improve your own ideas and make up for your weaknesses (for reference projects) so that your research can stand at a higher starting point (it can be called 'standing on the shoulders of giants', haha), and the results of the research will not be 'too failed'; because no matter how good or unique your idea is, you cannot think carefully. Maybe the idea you think is good can only be considered as considering one aspect of the problem, and there is no comparison with excellent ones. For example: Someone asked me to develop a CMS system for him before, and I suggested that if the CMS system is done well, it is not something that can be completed by one person. It is a relatively large project. If you really want to develop it yourself, it is best to learn from popular CMS systems such as phpcms, otherwise the things you make may not be half as functional or ease of use. When doing projects or research, you cannot do it blindly. You should refer to and learn more about excellent projects, otherwise your projects or research will be 'dead' in development! 】.
/// <summary>
/// Obtain user permissions and operation permissions
/// </summary>
private void GetPermission()
{
();
// User's operation permissions
= ("");
= ("");
= ("");
= ("");
= ("");
= ("");
// Role's operation permissions
= ("");
= ("");
= ("");
= ("");
= ("");
= ("");
();
}
As mentioned above, a piece of code in the Permission project of Jiri's permission system. Its function can be seen at a glance - based on the permissions of the current logged-in user, we can judge whether the buttons on the page are available. The reason why it is posted is because I personally feel that this code is not concise and effective enough. It is recommended that you consider using a collection to determine the permissions [this is also a feasible method in my own research. A simple method is needed to be considered in my own research. The specific ideas need to be further considered in the overall way before communicating with you].
When looking at the (general permission management system) FrameWork104Src system, I also felt that its permission judgment was a bit cumbersome. More importantly, I found a bug - which may be easily neglected in many software - the permission judgment was not thorough enough. The result of good permission management implementation should be to ensure that the software is secure enough (at the root cause) prohibiting the user from "doing what he cannot do". This bug is: after I logged in to the system as user A, this user did not have the permission to add membership, but in order to test whether its permission control is thorough enough, I directly accessed the Add Membership page in Url. Who knows, I went in. However, fortunately, the prompt "No permission to this operation" pops up when clicking the OK button - so, here I would like to remind you that friends who are currently doing permission management functions or modules, please check whether the permission management in your software is safe and thorough. Operation buttons, etc. are invisible or unavailable, and cannot control the ‘user’ operation from the root. You must add permission judgments to the submitted method or processing. Just like: submitting JS verification for pages such as login or registration, no matter how perfect or powerful it is written, you must add necessary judgments to the background code!
Okay, let’s just write this for the time being (I find that sometimes it takes time to write a blog carefully, haha). I hope that friends who are doing research in this area will give more suggestions!
When it comes to 'authorization management and design', you may think of Jirigala in this garden at the first time. In this regard, he can be regarded as a 'big' or an expert - his 'general permission management system'. Just look at his blog and you can tell about it (it seems that I am promoting him, haha..., but in fact, is not). I dare not say anything else for now. At least it can be seen that he has studied in depth and fanaticism, and his system also has a certain degree of 'maturity'. In his words, it is trying to achieve his ultimate. What he does is a universal permission management system, so what is 'generic'? Let me talk about my personal understanding:
a. (Mainstream) database general - that is, using factory and other models, it can easily adapt to different (types) databases and ensure the portability of the software. This is the focus on database design!
b. Permission management and judgment General in ideas, same solution or implementation methods or ideas can be used in different development languages and project types (large aspects such as: b/s and c/s), such as Jiri's permission system - this aspect, general in it can be applied in web and WinForm programs developed in C# language. ——I personally think that (implementation) ideas (or solutions) are more important, just like a good shopping cart implementation idea or solution, which can be used well in projects such as php, jsp, C# and other language development. [The solution to the problem is basically irrelevant to the programming language, the difference is only implementation].
My thinking and learning about permission management and design is the main purpose of: in future project development, I can use my own ideas or (develop) the "permission management system" similar to the Jiri Brothers, and can quickly and effectively implement the permission management part in the software (I currently feel that the permission management part is quite difficult). As for learning and thinking, I am not limited to my own (empty) ideas, but also studying and researching some project cases that I feel can improve my ideas and reference, such as: Jiri's permission system, (general permission management system) FrameWork104Src, MemberShip, phpcms, ecshop, etc. - but due to time constraints, I only briefly looked at the previous two. [Thinking and learning, or research, the method I suggest is: first determine or figure out the general idea yourself, and then learn from and refer to other project cases that are the same as your research direction (preferably large-scale projects with a certain degree of 'maturity') to improve your own ideas and make up for your weaknesses (for reference projects) so that your research can stand at a higher starting point (it can be called 'standing on the shoulders of giants', haha), and the results of the research will not be 'too failed'; because no matter how good or unique your idea is, you cannot think carefully. Maybe the idea you think is good can only be considered as considering one aspect of the problem, and there is no comparison with excellent ones. For example: Someone asked me to develop a CMS system for him before, and I suggested that if the CMS system is done well, it is not something that can be completed by one person. It is a relatively large project. If you really want to develop it yourself, it is best to learn from popular CMS systems such as phpcms, otherwise the things you make may not be half as functional or ease of use. When doing projects or research, you cannot do it blindly. You should refer to and learn more about excellent projects, otherwise your projects or research will be 'dead' in development! 】.
Copy the codeThe code is as follows:
/// <summary>
/// Obtain user permissions and operation permissions
/// </summary>
private void GetPermission()
{
();
// User's operation permissions
= ("");
= ("");
= ("");
= ("");
= ("");
= ("");
// Role's operation permissions
= ("");
= ("");
= ("");
= ("");
= ("");
= ("");
();
}
As mentioned above, a piece of code in the Permission project of Jiri's permission system. Its function can be seen at a glance - based on the permissions of the current logged-in user, we can judge whether the buttons on the page are available. The reason why it is posted is because I personally feel that this code is not concise and effective enough. It is recommended that you consider using a collection to determine the permissions [this is also a feasible method in my own research. A simple method is needed to be considered in my own research. The specific ideas need to be further considered in the overall way before communicating with you].
When looking at the (general permission management system) FrameWork104Src system, I also felt that its permission judgment was a bit cumbersome. More importantly, I found a bug - which may be easily neglected in many software - the permission judgment was not thorough enough. The result of good permission management implementation should be to ensure that the software is secure enough (at the root cause) prohibiting the user from "doing what he cannot do". This bug is: after I logged in to the system as user A, this user did not have the permission to add membership, but in order to test whether its permission control is thorough enough, I directly accessed the Add Membership page in Url. Who knows, I went in. However, fortunately, the prompt "No permission to this operation" pops up when clicking the OK button - so, here I would like to remind you that friends who are currently doing permission management functions or modules, please check whether the permission management in your software is safe and thorough. Operation buttons, etc. are invisible or unavailable, and cannot control the ‘user’ operation from the root. You must add permission judgments to the submitted method or processing. Just like: submitting JS verification for pages such as login or registration, no matter how perfect or powerful it is written, you must add necessary judgments to the background code!
Okay, let’s just write this for the time being (I find that sometimes it takes time to write a blog carefully, haha). I hope that friends who are doing research in this area will give more suggestions!