John Campbell wrote:
On 9/28/07, Kenneth Downs <[EMAIL PROTECTED]> wrote:
I will claim that putting security
directly into the database is better than any other way because it does what
is needed in the end with the least possible work.
I must be missing something. Take a simple social networking
scenario: A user can only see another user's complete profile if and
only if they are mutual friends. Implementing that in the tables
would be a huge pain in the ass and incur a big performance penalty.
Is there some super easy way to implement this that I am missing?
No matter how you do it, you have to define it first. Your rules, in
English, roughly, are:
1) A user can see his own profile
2) A user can see his friends' profiles
Translated into database terms:
1) A user can see row(s) in the profiles table where the user_id column
matches his
2) A user can see row(s) in the profiles table if the user_id matches a
cross-reference that lists him and the target user.
If you want public/private profiles you repeat the same process for
defining column-by-column access. As I've said many times in this
thread, it will all come down to database definitions in the end, so the
real question is about the easiest way to implement the most reliable
approach.
The Andromeda definition would be something like this:
table profiles:
column user_id:
primary_key: "Y"
# Supergods can see any row, but....
group supergods:
permrow: "N"
# ...group "general" only sees rows where this
# column matches their user_id
group general:
permrow: "Y"
# ...any member of the group friends can see
# a row here if they are on the left side
# of friends x-ref table
group friends:
permrow_table: friends
column name:
column address:
column city:
....etc....
# This is the cross-reference of friends
table friends:
foreign_key profiles:
suffix: _1
foreign_key profiles:
suffix: _2
Now that its defined the question is what is the easiest way to
implement it? If the server can do it for you then you have no more
work to do. That's why I wrote Andromeda and that's what Andromeda does
for me. But I don't do social networking sites -- I wish I had
something that simple!
--
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com www.andromeda-project.org
631-689-7200 Fax: 631-689-0527
cell: 631-379-0010
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
