Databases
StackOverflow2013
Postsdbo
POORM: authorization via reachability
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POORM: authorization via reachability
    primarykey
    data
    text
    <p>We are building a webapplication which uses a database. Also we use an object relational mapper to access the database. One aspect of authorization in the webapplication is that the <em>user</em> may access an object referred to by an URL. The URL contains a unique id (for example the Primary Key) to a specific record in the database. Consider the following example.</p> <ul> <li>a <em>user</em> may belong to many <em>groups</em> and a <em>group</em> may have many <em>users</em> (many-to-many).</li> <li>a <em>survey</em> belongs to a <em>group</em> (many-to-one).</li> <li>a <em>survey</em> may have multiple <em>questions</em>. (many-to-one).</li> </ul> <p>Say we have the following URL: <a href="http://app.local/question/edit/10" rel="nofollow">http://app.local/question/edit/10</a>. This means we want to edit <em>question</em> with PK 10. Now, we want to verify if the logged in <em>user</em> may access <em>question</em> with PK 10. This can be done by retrieving this <em>question</em>, then it's <em>survey</em> then it's <em>group</em> and then all its <em>users</em>. If any of the <em>users</em> is the same as the logged in <em>user</em> the logged in <em>user</em> may access the <em>question</em>.</p> <p>To generalize this a bit; we want to check if a record is <em>reachable</em> from another record by the known many-to-one or many-to-many relations. So if there is a many-to-one relation (like with a <em>survey</em> and a <em>question</em> then we should check if a <em>user</em> is reachable from the <em>question</em> through the <em>survey</em> and then through the <em>group</em>. The <em>group</em> has a many-to-many relation with the <em>user</em> so we should check if any (not all) of the <em>users</em> is the same as the logged in <em>user</em>.</p> <p>If a table has multiple many-to-one relations, say; we can attach a CSS <em>template</em> to a <em>survey</em> and this <em>template</em> also belongs to a <em>group</em> then we have to check if a <em>user</em> is reachable from all many-to-one relations (thus the <em>group</em> and the <em>template</em>). The same holds of course for multiple many-to-many relations.</p> <p>Are there Object Relation Mappers which support this behaviour? And what is this behaviour called, maybe reachability? Does Propel (for PHP) support this behaviour? I think this reachability can be done in any of the following two ways:</p> <ul> <li>Execute a query to get each "parent", uses many queries)</li> <li>Join all necessary tables to see if a record exists (the reachable users matches the logged in user) in one query.</li> </ul> <p>Furthermore this behaviour of the ORM should support nested sets, thus if a <em>group</em> contains nested set behaviour it should also try to reach a user through the <em>group</em>'s parent.</p> <p>I don't think this kind of behaviour should be restricted to authorization; objects should simply be able to see if they can reach another object.</p> <p>Note that I do not mean persistence by reachability: <a href="http://jpaobjects.sourceforge.net/m2-site/main/documentation/docbkx/html/user-guide/ch08s03.html" rel="nofollow">http://jpaobjects.sourceforge.net/m2-site/main/documentation/docbkx/html/user-guide/ch08s03.html</a>.</p> <p>Or... am I simply looking at this authorization wrong and is there a far better and different approach with an ORM?</p>
    singulars
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PTQuestion
    1. This table or related slice is empty.
    1. USmeijuh
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POORM: authorization via reachability
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. POORM: authorization via reachability
      1. USGrampa
      1. VTFavorite
    3. VO
      singulars
      1. POORM: authorization via reachability
      1. This table or related slice is empty.
      1. VTUpMod
    1. This table or related slice is empty.
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload