From PHPBB用户手册

PHPBB3 权限系统分析

这篇文章作为一个总览用于描述PHPBB3的权限系统和如何/从何处得到存储的权限相关数据, 以及如何进行使用. 这并不意味着本文是一个权限设置的用户指南, 虽然某些方面会有所提及. 我会尽最大的努力去了解代码以确保这些信息尽可能的正确... 但是这并不是一个官方的文档所以总会存在错误. 如果您发现了其中的错误请向我反映.(在本文的讨论页指出, 或发表于phpbbchina论坛, 如果您对错误之处确信无误, 也可以直接修改, 但需要在讨论页声明修改的原因和时间).

什么是权限系统?
权限系统, 用于论坛管理员控制在论坛中用户能做什么, 不能做什么.

它如何工作?
拥有权限的管理员(当然... 管理员必须要有设置权限的权限) 可以访问管理员控制面板(ACP)并从管理员角度访问权限控制系统. 随后管理员可以为用户设置相应的权限或增添某项功能. 权限称为"权限选项", 用户通过直接, 或从用户组, 角色等途径间接获得这些权限选项所拥有的权利.

这些权限选项是?
这些选项允许或禁止用户行使某项功能. 例如 'f_post', 'm_delete', 'a_ban' 和 'u_sendpm'.

选项中的这些 f_, m_, a_ & u_ 是什么?
这些用于说明权限类型.

什么是权限类型?
权限类型分组一类权限. f_是版面权限类型. m_是版主权限类型. a_是管理员权限类型. u_是用户权限类型.

用户的权限数据保存在哪里?
存储在 phpbb_users 表单

在 phpbb_users 表单里面的哪些字段?
user_permissions - 保存用户权限. 我们在下文中将讨论如何更新这个字段.
user_perm_from - 如果您有 a_switchperm 权限, 您可以暂时使用另一个用户的权限. 如果您这样做这个字段将包含您暂时使用的用户的ID. 正常情况下这个字段为0

权限选项存储在哪里?
存储在表单 phpbb_acl_options.

这个表单有哪些字段, 它们的含义是?

• auth_option_id - 选项的唯一 ID
• auth_option - 选项的名称
• is_global - 如果是全站选项则设为1, 否则设为0
• is_local - 如果是一个局部选项则设为1, 否则设为0
• founder_only - 如果是一个创始人专用选项则设为1, 否则设为0

什么是局部权限选项?
局部权限选项用于授予用户基于版面的权限. 这允许管理员授予用户在单个版面中行使某个功能的权利. 局部权限.

什么是全站权限选项?
全站权限的有效范围是整个论坛.

一个权限选项可以既是全站的又是局部的吗?
Yes. A option can be both. An example is 'm_edit' this is the moderator permission to edit a topic. You might grant it for a user to one forum. Another user might be given it board wide. To allow this the option is set to both local & global.

What is a founder only option?
A permission that only a founder can have.

Are any default phpBB permissions founder only?
No.

What is a founder?
A found is a special type of user. It should only be granted to the most trusted of administrators. A founder can access the permission system to correct his permissions even if another administrator has removed his permissions. Only a founder can remove the founder status of another founder.

What are roles?
Roles are a predefined setup of permission options that can be applied to users or groups. If you change a roles permission options the users or groups assigned the role get updated automatically.

角色信息存储在哪里
它们存储在表单 phpbb_acl_roles.

这个表单中有哪些字段, 每个字段的含义?

• role_id - 选项的唯一ID
• role_name - 角色名称, 一般作为一个语言键字
• role_description - 角色描述, 一般作为一个语言条目
• role_type - a_, u_, m_ 或 f_, 由角色面向的对象决定
• role_order - 数字, 决定这些角色在管理员控制面板中显示的次序

用于角色的权限选项存储在哪里?
存储在表单 phpbb_acl_roles_data.

这个表单有哪些字段, 每个字段的含义?

• role_id - 表单phpbb_acl_roles的role id
• auth_option_id - 表单phpbb_acl_options的option id
• auth_setting - 值为 ACL_YES (1), ACL_NO (-1) 或 ACL_NEVER (0)

什么是 ACL_YES, ACL_NO & ACL_NEVER?
Your effective permission for any option is built up from a combination of details such as which groups you are a member of, which role you have assigned and whether you have been assigned directly that permision. As such you might have opposing permissions. The YES, NO & NEVER system works to allow phpBB combine your this different answers for a option and give you the effective permission. If anywhere you get a NEVER that will be your permission for that option ... a YES can not override a NEVER. However a YES does override a NO.

如果我给用户指定了角色, 这个信息存储在哪里?
存储在表单 phpbb_acl_users.

这个表单有哪些字段, 每个字段的含义是什么?

• user_id - 表单phpbb_users中的用户ID
• forum_id - 如果是局部权限, 则使用phpbb_forums中的版面ID, 否则为0
• auth_option_id - phpbb_acl_options中的选项ID
• auth_role_id - 如果是从角色中获取的权限, 则使用表单phpbb_acl_roles中的角色ID, 否则为0
• auth_setting - 存储ACL_YES (1), ACL_NO (-1) 或 ACL_NEVER (0)

如果我给一个用户组指定了角色, 这个信息存储在哪里?
存储在表单 phpbb_acl_groups.

这个表单有哪些字段, 每个字段的含义是什么?

• group_id - 表单phpbb_groups中的用户组ID
• forum_id - 如果是局部权限, 则使用表单phpbb_forums中的版面ID, 否则为0
• auth_option_id - 表单phpbb_acl_options中的权限ID
• auth_role_id - 如果是从角色中获取的权限, 则使用表单phpbb_acl_roles中的角色ID, 否则为0
• auth_setting - 存储ACL_YES (1), ACL_NO (-1) 或 ACL_NEVER (0)

So how do I setup permissions now I know the different parts that are involved?
First you need to decide if you what you are trying to achieve. If you need to set one user to have maybe just one extra permission option then doing it to the user direction might be OK. Otherwise its best to set permission options on a group and place the user in the group. Or if its a lot of permission options you are setting up then a role might be best. You also need to understand if the options are global or local.

Setting local (forum) permissions
From the "PERMISSIONS" tab select from "Forum permissions", "Forum Moderators", "Users' forum permissions" or "Group' forum permissions". If you select either of the last two you will first need to select the forum for which you are trying to set.

When setting advanced permissions or defining roles what are those tabs?
Each of the tabs represents a permission category. Categories are used to further group permission options together.

So where in the ACP can permissions be setup?
The ACP can be configured to place this modules in multiple places.

OK. So I have setup the permissions I think. How can I view what permissions a user/group will get?
You view what permissions a user/group has by viewing its permission mask.

What are permission masks?
Masks are the effective permissions your user has for the different type of permission as we described already. You have user permissions, moderator permissions both local & global, forum permissions & administrator permissions. So for each of these you have a permission mask which can be viewed in the ACP. For forum permissions & moderator local permissions you need to select the forum you want to check first.

How do I workout permission masks?
From the "PERMISSIONS" tab select from "View administrative permissions", "View user-based permissions", "View global moderation permissions", "View forum moderation permissions" & "View forum-based permissions". If you select either of the last two you will first need to select the forum for which you are trying to view for.

When viewing masks you can view for mutiple/single user(s) or group(s). Permission for a group are set. However since permissions for a user can come from mutliple groups you can trace the permission.

What is tracing a permission?
When viewing the mask of permissions for a user a icon beside each option will show how the option got its value. It will start with the default value and then work through each group the user is a member of and then also the user direct permission at the end. For each group or finally the user permission it looks at the setting and updates the total. Remember a NEVER will wipe out any YES and a YES can not overwrite a NEVER. This is a very handy tool to determine why a user is getting or not getting a permission. The final total is the effective permission for any option.

当用户浏览网站时如何初始化其权限?
当用户(机器人和游客也是用户喔)浏览页面时, 对$user->session_begin()的调用会开始一个session; 然后对$auth->acl($user->data)的调用将初始化用户的权限.

函数$auth->acl 将检查用户的user_permission字段是否需要更新. 通过管理员控制面板更新权限时, 这个字段会被清空. 如果您设置的是单个用户权限, 则只有这个用户的记录下字段被清空, 否则所有用户的这个字段都会被清空. 当用户下一次登录时, acl函数会生成新的用户权限数据填入这个字段.

程序首先检查 _acl_options 的缓存并更新(如果需要重建用户权限). 如果缓存存在但是用户权限数据为空, 程序也会重建用户权限. 如果缓存和用户权限数据都存在则不做任何动作. 这个字段随后从bit流转换为数组, 程序使用这个数组检查用户的权限.

acl_options缓存包含哪些内容?
This cache contains an array which has two elements - local & global. Each of these is an array that contains each of the acl options of that type. As with all cache it checks if the cache is within a valid timeframe, if the timeframe is OK it will setup the array else just return.

So now the page has my users permissions setup how do I check if a user has a single permission option?
You call the $auth->acl_get('u_garage_browse'); and the argument is the option you want to check for If it was specific to a forum (i.e local) then you do it as $auth->acl_get('u_garage_browse', 3); where 3 is the forum id