Databases
StackOverflow2013
Postsdbo
POMysql deduce foreign key relationship for random queries
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POMysql deduce foreign key relationship for random queries
    text
    copied!<p>I am an MySQL novice and am looking for the solution to the following problem:</p> <p>I would like to create a CMS with cppcms which shall be capable to have modules. Since I want to reduce the chance of (accidental) access to private data, I want a module which handles data access and rights. Since this module is supposed to be unaware of data structures created by other modules I would like it to deduce the data owner through <strong>foreign key</strong> relations. My idea would be to search for a path (over foreign keys) which links a row to a user id.</p> <p><em>Sum up:</em> What I am trying to do</p> <ol> <li>Taking a random query, determine the affected rows </li> <li>for the affected rows determine a relationship/path (via foreign keys) to a user/userid (a column in an existing table)</li> <li>return only the rows for which a relationship could be determined and a condition holds (e.g. the userid found in the related query matches a fixed user id, such as the user currently accessing the system)</li> </ol> <p>(As far as I know foreign keys only enforce the existence of a key in another table, however the precondition I assume is, that every row is linked to a user over a path of foreign key relations)</p> <p>My Problem/Question:</p> <ol> <li><p>Is there an existing solution/Better approach to the problem? Prepared statements wont do the trick since I don't know all datastructures/queries in advance.</p></li> <li><p>How do I get the foreign key relations? Is there another way besides "SHOW CREATE TABLE" and then parsing the result string?</p></li> <li><p>How can I determine the rows that would be affected, without modifing them? I would like to filter this set afterwards by determining if I can link it to the current user (not the mysql user but system user).</p></li> </ol> <p>Could I try executing the query, and then select the affect rows, and if I determine an access violation simply do a rollback? Problem with this: how to do the changes to the subset of rows for which it is legal (e.g. I attempt to change 5 rows, may only change 2, how to only change those 2). One idea was to search a way to create a temporary table with the result set; this solution has several drawbacks: foreign key relations are not possilbe for temporary tables, they are 'lost'.</p> <p>P.S.: I am coding in c++, therfore I would prefer cpp-compatible library recommendations, however I am open to other suggestions. While googling I stumbled over doctrine and Iam currently researching it. P.P.S.: Database engine is InnoDB (has to because of the foreign keys)</p> <p><strong>UPDATE: Explanation Attempt of Part 2:</strong> I am trying to filter which collumns a user is allowed to see of tables. To do so I would like to find a connection in the database over foreign keys (By foreign keys I ensure that I can get to all data over joins, and they are a hint on which columns I have to join). Since I plan on a complexer system (e.g. forum) I don't want to join all data in a temporary table and run a user query on those. I would rather evaluate the userquery and check for the result if I can map it with a join to the users id. For example I could use this to enforce that an edit button is only enabled for the posts created by the user. (I know there are easier ways to do this, but I basically want to allow programmers to write their own queries without giving them the chance to edit or view data that they are not allowed to see. My assumption is that the programmer is not an evildoer but simply forgetting constraints, thus I want to enforce them in software).</p> <p>Getting here would be pretty good, but I have a little more complex need.</p> <p>First a basic example. Let's say its like facebook and all the friends of a person are allowed to see his pictures.</p> <pre><code>pictures = id **userid** file (bool)visibleForFriends album friendship = **userid1** **userid2** users = userid </code></pre> <p>What I want to happen is:</p> <ol> <li>Programmer input "SELECT * FROM pictures WHERE album=2"</li> <li>System gets all matching records (e.g. set of ids)</li> <li>System sees foreign key userid, tries to match current userid against the pictures userid, adds all matching to the returned result part</li> <li>System notices <em>special</em> column visibleForFriends</li> <li>System tries to determin all Friends (SELECT userid1 FROM friendship WHERE userid2=currentUserID join (have to read up on joins) SELECT userid2 FROM friendship WHERE userid1 =currentUserID)</li> <li>System adds all rows where <em>visibleForFriends</em> is true and pictures.userid=Result from 5.</li> </ol> <p>While the Friendship part is some extra code (I think doable if igot started on the first bit), I still need to figure out how to automatically follow the foreign keys to see the connection. Ignoring the special Friendship case (special case), I would like the system to work on this as well:</p> <pre><code>pictures = id **albumid** file (bool)visibleForFriends album albums = id **userid** users = userid </code></pre> <p>Now the system should go pictures.<strong>albumid</strong> ==> albums.id -> albums.<strong>userid</strong> ==> users.userid.</p> <p>I hope the examples clarified the question a bit. One problem is, that in point one from the example (programmer query input) I dont want to let "DELETE *" take effect on anything not owned by the user. So I have to filter which rows to actually delete.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload