Just wondering for user permission check,
Should you keep the permission in the session
eg. select out the user info and store the permission id in the session
or doing a permission check against the database everything time before you doing a query?
In an application, data that is not available, should not be available. How you establish this simple procedure is up to you and depends a lot how you structure your application.
For example, you allow data-access with the database credentials you share across your whole application probably within it's configuration values.
Assuming you do this: If you have not a problem with that, why are you concerned about a much more detailed case that much?
I fetch the data from the database every time, so when I change permissions, the user gets updated instantly instead of the next login.
Many people would assume there may be a performance penalty. But if you use MySQL like most PHP users, results will be held in a query cache in RAM and will be available in almost no time.
It depends on the security level of your website. If you think security is really important for your website and you want security changes to be made on user as soon as they're changed, you have to use database calls. However, if your permission system is designed this way, it can become quite slow and inefficient.
If security can "wait" for the next session then I think it's better to save permissions in the session to avoid a loss of performance.
This is a great use case for memcache. You could store user permissions in a database, pull them down once and cache them. Subsequent page loads would fetch from memcache.
When an administrator changes a user's permission, that action can simply invalidate (delete) the cache key. Then, the next time you fetch from cache it won't be there and you'll know to hit the database again.