How permissions bitmask should look like with view/edit/add/remove permissions. How to use it?

Question

User can view/edit/add/remove objects (categories, users, items etc.). What is the best practice to store (in MySQL), manage and check if user have such permissions.

Acl class will control if user allowed to execute controller's method or not.

Answer 1

I'm using binary-string stored as hex value in database.

When I've read hex value (permissions) from database for appropriate client I convert it to binary string where every digit (0 or 1) represents state of some permission flag. Permission flags has been defined by position in binary-string. e.g

0 -> can read
1 -> can write
2 -> can access gallery
3 -> can access pools
4 -> can ban users
5 -> can drink beer
...

When needed, just validate every binary digit with appropriate permission and store it in permission array as boolean value.

Also, I have stored some permissions as groups like administrators, moderators, gallery editors, etc...

Look here: Which data type is suitable for storing this situation? for better explanation and examples.

Answer 2

Are you sure you want to go with bitmasks?

If you have many roles your bitmask number can get very high, and a query to search who has permission X would be bad performance wise.

Personally, I like to store such data in a two column table (UserId, PermissionId), this way it's both scalable and easy to maintain. To check who has a permission or which permissions has a user, you only need a SELECT or a JOIN.