Folder permissions for PHP file uploads - private/public/shared views?

I'm writing a php file upload script for a project - I have seen all the great opensource ones out there, but I've decided to do my own as I have a level of user access rights that I can't seem to find anywhere.

So this is what I'm trying to do:

1. Normal file uploads area, exactly like elFinder
2. Some way to restrict certain users to view the folders and/or files, depending on what group they belong to. I need to do this as this is for an organisation I work in where certain users can only see the docs they are supposed to

Originally I decided to make a mysql solution where each and every folder has an ID, and when you create a folder you specify the groups that are allowed to view that folder - but this doesn't seem like the most elegant solution.

Can anyone suggest a theoretical way to do this? I'm happy to code it all in PHP, but I just can't get my head around the best way to do this.

Is there some way (short of naming folders in spe开发者_运维技巧cific ways), that folders and files have properties I can exploit here?

---

Since you have exacting permission requirements, you can implement a structure similar to UNIX's granular approach to file permissions. Each file or folder should have an owner, a group, and a permissions string which looks like '755'.

The first position of the permission string pertains to the owner of the file or directory. The number 4 stand for read privileges, 2 stands for write privileges, and 1 stands for execute privileges. The permission is cumulative, so a permission of 7 in the first column (4+2+1) means the owner has read, write, and execute permission.

The second column pertains to the group. In this case, group members can read (4) and execute (1) (4+1=5).

The third column pertains to everyone who is not the owner or member of the group. This position is known as 'world' or 'other.' In this example, 'other' users also have read (4) and execute (1) permissions.

After creating owner, group, and permission columns for each file/directory, you will need to create a 'groups' table, and a table to map users to groups ('user_groups'). Then assign each user to one or more groups, and assign owner, group, and 'other' permissions to each folder (and file if needed).

For more information on Unix file systems, see this tutorial.

---

What about setting up some sort of basic unix-like permissions on each file. I'm assuming that when the user uploads the files they get stored in a database instead of just freely uploading to a folder and letting people directly navigate to it to download. Add the following database tables:

• Users - Every user gets one entry and has a user_id as well as information to authenticate the user with a password, full name, email, etc.
• Groups - contains two columns group_id and group_name
• UserGroups - Contains two columns, user_id and group_id. To add a user to a group, simply add their user_id and the respective group_id as an entry to this table.
• Files - contains all the info you have on the file plus a group (which will be the group allowed to access the files), a group permission and an other permission. These last two will be whether or not the group has access to view the file and whether everyone has permission to access it respectively.

Then every user can be added to whatever group you specify and will therefore have permissions to access the files accordingly. You can also make it so that nobody can see the files by setting the group permissions to 0.