New authentication model

[pavelskipenes]

Current permission logic is so complex that you hope you never want to touch it ever again. There are also some limitations. If a user , as of today, does not strictly fit inside a permission group then:

• group permissions has to be extended (other members in the group get higher permission)
• a new group with correct permission has to be created
  Right now there are two security classes in the source code. Authenticator and access_control the idea is to get rid of access_control and extend Authenticator or maybe just rewrite them somehow. Right now access_control is responsible for authorization while Authenticator is responsible for authentication. These two has similar responsibilities so they should imo be merged together.

-- list permissions for a resource for each group
CREATE TABLE group_permissions(
    id int NOT NULL AUTO_INCREMENT,
    group_id int NOT NULL, -- which group can access
    resource text NOT NULL,
    write_access, tinyint(1) NOT NULL DEFAULT 0, -- if 0 => read access
    PRIMARY KEY(id)
);

-- list of groups
CREATE TABLE groups(
    id int NOT NULL AUTO_INCREMENT,
    name text NOT NULL,
    PRIMARY KEY(id)
);

INSERT INTO groups VALUES (0, "not_authenticated"); -- some resources should be given to unauthenticated users like read store/products

-- list of users
CREATE TABLE users(
    id int NOT NULL AUTO_INCREMENT,
    name text NOT NULL,
    username text NOT NULL,
    password VARCHAR(32),
    last_password_reset date DEFAULT NULL,
    PRIMARY KEY(id),
    UNIQUE KEY(username)
);

-- what group is each user member of
CREATE TABLE group_members(
    id int NOT NULL AUTO_INCREMENT,
    users_id int NOT NULL,
    group_id int NOT NULL,
    PRIMARY KEY(id)
);

A user can be a member of multiple access_groups. An access_group can have access to multiple resources. A resource is just a string that represent a collection of tools that are related together.

// enums are not available before php 8
enum RESOURCES(
    case All, // available for all clients without authentication like read inventory (list of products) 
    case Authenticated; // access for all logged in users like change password
    case Store; // add / remove products from the store
    case Members; // see and modify personal information for current member
    case Enrollment; // approve manual membership requests
    case Content; // modify text content and images on the front end
);

class Authenticator{
    static public function can_access(RESOURCE ?$resource){
        if(!Authenticator::logged_in() && Authenticator::log_in_required($resource)){
            throw new Exception("access denied");
        }

    }
}

Authenticator::can_access(RESOURCES::Store);

// perform actions that require authorization