Ok Jim, I think I found the last area where we're getting mixed up. However, I think I understand where you're coming from (and see some of the advantages that you have suggested). My proposed idea below is still storing the file information, but I'm using your filename-permission idea. Check this out:
Blank initialized system - Permission database is currently empty (no permissions registered). Some random user logs in and hits two templates (user.cfm and message.cfm) which have the following: USER.CFM <cf_security perms="read,edit,delete"> MESSAGE.CFM <cf_security perms="read,edit,delete,post"> Since neither of these files have been registered with the security system yet, cf_security registers the filenames and permissions in the database (assuming filenames are the unique identifier for simplicity) and tells the user to wait until permissions have been set. The permission table would look like this: PERMID FILENAME PERM GROUP 1 MESSAGE READ 2 MESSAGE EDIT 3 MESSAGE DELETE 4 MESSAGE POST 5 USER READ 6 USER EDIT 7 USER DELETE Now, I log into my super-duper permission editor and assign groups to those permissions so the table will now look like this: PERMID FILENAME PERM GROUP 1 MESSAGE READ USERS 2 MESSAGE EDIT MODS 3 MESSAGE DELETE ADMINS 4 MESSAGE POST USERS 5 USER READ USERMODS 6 USER EDIT USERMODS 7 USER DELETE ADMINS Now, here is the user/group membership table: USERS GROUPS joe USERMODS, USERS mike ADMINS, MODS dan USERS Let's say user "Joe" logs in and he's obviously a member of the USERMODS and USERS groups. Upon login, the system performs a lookup to see what permissions are assigned to those groups (IDs 1, 4, 5 and 6). Those permissions are then loaded into memory like this: session.permissions = "messageread, messagepost, userread, useredit" Now, let's say Joe hits the USER.CFM template. The cf_security tag is the following: USERS.CFM <cf_security perms="read,edit,delete"> so the cf_security tag can do a compare between the permissions loaded in memory (session.permissions) and what permissions are stored in the file and set any permission to TRUE that match up (remember, cf_security assembles the permission by taking the filename and the permission). The nice thing about this is within the code, you just use standard words like: if edit do this end if Instead of: if messageedit do that end if which makes the code nice and portable if you decide to reuse it somewhere else (not specific to that file). What I really like about this is that there are no database hits while the user is browsing the site. Keeps things nice and fast. The only thing I don't like about this setup is that I'm loading up all those permissions into memory - seems kinda wasteful. Let's say I had 100 files with each of them having a few permissions, that list could be huge, multiply that by lots of users, that could be a lot of memory. I could instead load the PERMID list into memory, but then I'd obviously have to do a lookup to pull the actual permission out of the database every time someone hits a template so cf_security could make the match. The other option is loading up the group memberships into the session variable at login and then doing a group/permission lookup for every template, but that would have a similar performance hit (if not slightly higher) than the PERMID list, but the session variable stays small. Now, I understand that I'm repeating permissions, i.e. there is a permission EDIT in USER.CFM and also another permission EDIT in MESSAGE.CFM, but those permissions are still template specific. I can't give some group generic EDIT permissions because EDIT on one template doesn't mean the same thing on another template. i.e. You have an file in NTFS that has modify permission. You also have an OU in Active Directory that can be assigned the modify permission. However, that doesn't mean that I should have generic modify access to both of those objects just because their permission "titles" are the same. So whatcha think? Mike ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:217658 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
