- Bitwise operators
- Defining permissions
- Create user classes
- Check if user can
- Test all roles and permissions

This will be a quick tutorial on how to use bitwise operators in PHP to create permissions control. Some of next tutorials will cover how to implement it in application and how to use database to store permissions for users. Now some basics.

**Bitwise operators**Top

Those are operators (`&`, `|`, `^`, `~`, `>>` and `<<`) in PHP that convert your value to bites and then do their job. Here are some examples on those that we will use (`&`, `|` and `~`).

**How do they work?**Top

Their work is very simple. First they convert passed value to bits and then, depending on operator, check for set/non set bits. Let’s take for and example 4 bits integer (on 32 bit systems they are 32 bit integers but to simplify we will use 4 bits). Maximum value of that integer is 15.

Why?

Because 4 bit representation of 15 is 1111 and that are those 4 bits.

How do we get them?

Every bit has its position, right to left, starting from 0. That position is used as exponent for base 2 and then multiplied with value (0 or 1) on that position. To make it more clearly we will convert 1010 to integer. Starting from right to left first number is 0 so we do . Then we have . Next we have and last we have . Then we make sum of those number we got .

Now that you know what are bits, we can go further.

**And operator (`&`)**Top

This operators looks for bits that are set in both arguments and returns them. Let’s say you have this

echo 3 & 6;

This would return 2.

Why?

Because if we make bit representation of those numbers like this

Integer | 8 | 4 | 2 | 1 |

3 | 0 | 0 | 1 | 1 |

6 | 0 | 1 | 1 | 0 |

3 & 6 | 0 | 0 | 1 | 0 |

you can see that only bits from column two are set in both 3 and 6. Since `&` searches for bits that are set in `a` and `b`, bit under two is set and is returned.

If we'd have

Integer | 8 | 4 | 2 | 1 |

11 | 1 | 0 | 1 | 1 |

14 | 1 | 1 | 1 | 0 |

11 & 14 | 1 | 0 | 1 | 0 |

it would return10 because bits under 2 and 8 are set. Sum of 2 and 8 is 10.

**Or operator (`|`)**Top

This operator looks for bits that are set (value is 1) either in `a` or in `b`. For example

echo 3 | 6;

would return 7 because if you look at our table bits 4, 2 and 1 have value of 1. Bit 8 has value if 0 in both of them and he is not set. When you make sum of 4, 2 and 1 you get 7.

echo 11 | 14;

would also return 15 because every bit is set in at least one of them. Bit 8 is set in both of them, 4 is set in 14, 2 is set in both of them and 1 is set in 11.

**Not operator (`~`)**Top

This operator just sets bits that are not set and unset bits that are set (1 goes to 0 and 0 goes to 1).

For example

echo ~6;

would return 9 because bits that are 1 now, are 0 and those that are 0, not are 1. If you look at our table bits 8 and 1 have value of 0 and they are not set. But bits 4 and 2 have value of 1 and they are unset. Now you have 1001 and that is 9. If we where using 32 bit integers then we would get -7.

Why?

Because 32 bit integer has 32 times 0 or 1. 32 bit representation of 6 would be 00000000000000000000000000000110 and when you make it inverse you get 11111111111111111111111111111001 which corresponds to -7.

**Defining permissions**Top

Now that you know how operators work, we can create our permissions control. We will use simple class with 4 constants defined to make it simpler (we could use normal constants but I intend to make it as much as possible object oriented).

This is class.

class perm { /** * Read constant. * * @var int */ const READ = 1; /** * Edit constant. * * @var int */ const EDIT = 2; /** * Publish constant. * * @var int */ const PUBLISH = 4; /** * Delete constant. * * @var int */ const DELETE = 8; }

As you can see we have numbers like 1, 2, 4 and 8. There is no number like 3 or 5 or 6 because we are looking for number that have just one bit and that other number do not have. Just use number that are potency of 2 (, , and so on).

**Create user classes**Top

Now we will use bitwise operators to make classes (not PHP classes, but classes like `Guest` or `Admin`).

This is code.

$guest = perm::READ; $editor = $guest | perm::EDIT; $moderator = $editor | perm::PUBLISH; $publisher = $moderator & ~perm::EDIT; $admin = $moderator | perm::DELETE;

As you can see, $guest can only read (permission 1). $editor can read and edit. We just extend previous role and add new features. If you'd have 20 permissions, you would not for each role write what he can and what he can not do, instead you would extend role witl lover permission and add/remove feature. $moderator can everything that can $guest and $editor and he can also publish. But $publisher can everything that $moderator can, except he can not edit. And last, $admin can all.

Let me explain how did we created those roles. If you remember, on start I explained those operators. READ permission has only one bit set and that is first bit. EDIT has also only one bit and that is second bit. When we use `|` operator then we extend those two permissions and have two bits set and those are first and second. Then we do the same for $moderator and add one more bit (third bit). On publisher we want to disable one permission. To do that we inver permission that we want to disable so that only bit that is set becones 0 and all other become 1. Then we use `&` operator and set all bits that are set in both numbers. Here is how it works (we'll work again with 4 bits and not 32).

Variable $moderator has value of 7 (0111). Constant perm::EDIT has value of 2 (0010). When we invert EDIT constant we have 1101. Now we use `&` and we set only those bits that both have. In our example those are first and third bit. As you can see we do not have second bit because it was removed and that role has no EDIT permission.

**Check if user can**Top

This is the most easier part. We just use if statement and `&` operator. If we would like to check if $publisher can publish we would do it like so.

if ($publisher & perm::PUBLISH) echo 'Can'; else echo 'Can not';

This would print `Can`.

Ok, but why do we use `&` to check if user can or can not do that?

Well, it's simple logic. If you remember, every bit that is set in both of them is returned. If no bit where set, 0 is returned and if there where any bits set then some integer that is not 0 is returned. If you know how PHP compares, then you also know that 0 is evaluated as *false* and any non-zero number is evaluated as *true*. If you wish you can read my article about comparing in PHP.

**Test all roles and permissions**Top

This is small function that will test all roles and permissions.

/** * Echoes permissions. * * @param array $roles Roles array * @param array $perms Permissions array */ function checkPerms($roles, $perms) { foreach ($roles as $k => $v) { echo '<b>', $k, '</b><br />'; foreach ($perms as $pk => $pv) { if ($v & $pv) echo '- can ', $pk, '<br />'; else echo '- can not ', $pk, '<br />'; } echo '<br />'; } } $roles = array( 'Guest' => $guest, 'Editor' => $editor, 'Moderator' => $moderator, 'Publisher' => $publisher, 'Administrator' => $admin ); $perms = array( 'read' => perm::READ, 'edit' => perm::EDIT, 'publish' => perm::PUBLISH, 'delete' => perm::DELETE ); checkPerms($roles, $perms);

Result that is generated is like this.

Guest- can read - can not edit - can not publish - can not deleteEditor- can read - can edit - can not publish - can not deleteModerator- can read - can edit - can publish - can not deletePublisher- can read - can not edit - can publish - can not deleteAdministrator- can read - can edit - can publish - can delete

Thank you for reading. You dan download source code here.

Posted by Marijan Šuflaj in Tutorials on 18. August 2009 | 8 comments

How to make a system where i want to give user (eg.whose permision_id is 60) to pages whose visiblity_id is 2,3,4,5.. Here is how logic comes. 2^2=4,2^3=8,2^4=16,2^5=32 so 4+8+16+32 = 60(60 is user’s permission_id) and he can see pages whose visibility_id is 2&3&4&5….

Thank you, Marijan Šuflaj, I’m really very greatfull

You can implement some BitSet class

Good tutorial. How will I handle a permission system with 50 different kinds of rights a user could have? That would be more than 32-bit could hold? Any best practices when having many permissions?

[...] Bitwise operators [...]

Thank you very much because with your clear presentation I’ve just understood how ms access permissions works with “magic” OR , AND.

This it was a mysterius enigma for a amateur “programmer” in VB like me.

Peter 29/3/10 Greece Athens

Right on! There’s a lot of ways that bitwise operators can manipulate, retrieve, compute and sort data.

[...] any interface that we will use for creating actions, grups and users but using my tutorial on bitwise permissions i created them manually. Each action has it’s own unique privilege that has to be some number [...]