Index: openacs-4/packages/acs-core-docs/www/xml/developers-guide/permissions-tediously-explained.xml
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-core-docs/www/xml/developers-guide/permissions-tediously-explained.xml,v
diff -u -r1.3.2.1 -r1.3.2.2
--- openacs-4/packages/acs-core-docs/www/xml/developers-guide/permissions-tediously-explained.xml 14 Nov 2003 09:43:47 -0000 1.3.2.1
+++ openacs-4/packages/acs-core-docs/www/xml/developers-guide/permissions-tediously-explained.xml 19 Nov 2003 14:35:15 -0000 1.3.2.2
@@ -89,13 +89,13 @@
create table acs_permissions (
object_id
not null
- constraint acs_permissions_on_what_id_fk references acs_objects (object_id),
+ constraint acs_permissions_on_what_id_fk references (object_id),
grantee_id
not null
- constraint acs_permissions_grantee_id_fk references parties (party_id),
+ constraint acs_permissions_grantee_id_fk references (party_id),
privilege
not null
- constraint acs_permissions_priv_fk references acs_privileges (privilege),
+ constraint acs_permissions_priv_fk references (privilege),
constraint acs_permissions_pk
primary key (object_id, grantee_id, privilege)
);
@@ -121,7 +121,7 @@
entries of the form:
-
+
Although quite feasible, this approach fails to take advantage of the fact
@@ -223,6 +223,7 @@
+ Context Hierarchy Example
@@ -275,12 +276,13 @@
- This can be represented in the
- acs_objects table
+ This can be represented in the
+ table
by the following entries:
+ acs_objects example data
@@ -322,10 +324,10 @@
we can compute that object 40 is the second-generation descendant of object 10.
With this in mind, if we want to record the fact that user Joe has the read privilege on objects
A, ..., F, we only need to record one entry in the
- acs_permissions table.
+ table.
-
+
The fact that Joe can also read B, C,
@@ -359,7 +361,7 @@
One way to solve this problem is to cache a flattened view of the context tree like so:
-
+
Note that the number of entries in the flattened view grows exponentially with
@@ -453,7 +455,7 @@
in its flattened view is
-
+
1 + 2*2 + 3*4 + 4*8 + 5*16 + ... + (n+1)*2n = n*2n+1 + 1
@@ -467,10 +469,10 @@
create table acs_object_context_index (
object_id
not null
- constraint acs_obj_context_idx_obj_id_fk references acs_objects(object_id),
+ constraint acs_obj_context_idx_obj_id_fk references (object_id),
ancestor_id
not null
- constraint acs_obj_context_idx_anc_id_fk references acs_objects(object_id),
+ constraint acs_obj_context_idx_anc_id_fk references (object_id),
n_generations integer
not null
constraint acs_obj_context_idx_n_gen_ck check (n_generations >= 0),
@@ -492,32 +494,32 @@
The acs_object_context_index is kept in sync with the
- acs_objects
+
table by triggers like this:
create or replace trigger acs_objects_context_id_in_tr
-after insert on acs_objects
+after insert on
for each row
begin
- insert into acs_object_context_index
+ insert into
(object_id, ancestor_id, n_generations)
values
(:new.object_id, :new.object_id, 0);
if :new.context_id is not null and :new.security_inherit_p = 't' then
- insert into acs_object_context_index
+ insert into
(object_id, ancestor_id,
n_generations)
select
:new.object_id as object_id, ancestor_id,
n_generations + 1 as n_generations
- from acs_object_context_index
+ from
where object_id = :new.context_id;
elsif :new.object_id != 0 then
-- 0 is the id of the security context root object
- insert into acs_object_context_index
+ insert into
(object_id, ancestor_id, n_generations)
values
(:new.object_id, 0, 1);
@@ -526,14 +528,14 @@
- One final note about
- acs_objects. By setting
+ One final note about
+ . By setting
an object's security_inherit_p column to 'f', you can stop permissions
from cascading down the context tree. In the following example, Joe does not have
the read permissions on C and F.
-
+
@@ -602,7 +604,7 @@
the Bboard package defines the following privileges:
-
+
By defining parent-child relationship between privileges, the OpenACS data model
@@ -665,7 +667,7 @@
as follows.
-
+
The parent-child relationship between privileges is represented in
@@ -719,10 +721,10 @@
create table acs_privilege_hierarchy (
privilege
not null
- constraint acs_priv_hier_priv_fk references acs_privileges (privilege),
+ constraint acs_priv_hier_priv_fk references (privilege),
child_privilege
not null
- constraint acs_priv_hier_child_priv_fk references acs_privileges (privilege),
+ constraint acs_priv_hier_child_priv_fk references (privilege),
constraint acs_privilege_hierarchy_pk
primary key (privilege, child_privilege)
);
@@ -740,14 +742,14 @@
p1.privilege,
p2.privilege as descendant
from
- acs_privileges p1,
- acs_privileges p2
+ p1,
+ p2
where
p2.privilege in
(select
child_privilege
from
- acs_privilege_hierarchy
+
start with
privilege = p1.privilege
connect by
@@ -773,46 +775,38 @@
data model is set up as follows.
-
+
-
- parties
-
+
-
- persons
-
+
-
- groups
-
+
-
- users
-
+
-
+
create table parties (
party_id
not null
- constraint parties_party_id_fk references acs_objects (object_id)
+ constraint parties_party_id_fk references (object_id)
constraint parties_pk primary key,
email varchar2(100)
constraint parties_email_un unique,
@@ -824,7 +818,7 @@
create table persons (
person_id
not null
- constraint persons_person_id_fk references parties (party_id)
+ constraint persons_person_id_fk references (party_id)
constraint persons_pk primary key,
first_names varchar2(100)
not null,
@@ -837,7 +831,7 @@
create table users (
user_id
not null
- constraint users_user_id_fk references persons (person_id)
+ constraint users_user_id_fk references (person_id)
constraint users_pk primary key,
password char(40),
-- other attributes
@@ -848,15 +842,15 @@
create table groups (
group_id
not null
- constraint groups_group_id_fk references parties (party_id)
+ constraint groups_group_id_fk references (party_id)
constraint groups_pk primary key,
group_name varchar2(100) not null
);
Recall that the grantee_id column of the
- acs_permissions table references
+ table references
parties.party_id.
This means that you can grant a privilege on an object to a party, person, user, or group.
Groups represent aggregations of parties. The most common scenario that you are likely
@@ -877,17 +871,17 @@
create table acs_rels (
rel_id
not null
- constraint acs_rels_rel_id_fk references acs_objects (object_id)
+ constraint acs_rels_rel_id_fk references (object_id)
constraint acs_rels_pk primary key,
rel_type
not null
constraint acs_rels_rel_type_fk references acs_rel_types (rel_type),
object_id_one
not null
- constraint acs_object_rels_one_fk references acs_objects (object_id),
+ constraint acs_object_rels_one_fk references (object_id),
object_id_two
not null
- constraint acs_object_rels_two_fk references acs_objects (object_id),
+ constraint acs_object_rels_two_fk references (object_id),
constraint acs_object_rels_un
unique (rel_type, object_id_one, object_id_two)
);
@@ -896,7 +890,7 @@
create table membership_rels (
rel_id
- constraint membership_rel_rel_id_fk references acs_rels (rel_id)
+ constraint membership_rel_rel_id_fk references (rel_id)
constraint membership_rel_rel_id_pk primary key,
-- null means waiting for admin approval
member_state varchar2(20)
@@ -906,11 +900,11 @@
- The acs_rels
+ The
table entries would look like so:
-
+
@@ -964,32 +958,32 @@
-
+
Another way of building up groups is by adding subgroups. Suppose
we define Merry Pranksters and Sad Pranksters as subgroups
of Pranksters. We say that the Pranksters group
is composed of
groups Merry Pranksters and Sad Pranksters. This
- information is stored in the acs_rels
+ information is stored in the
and composition_rels tables.
create table composition_rels (
rel_id
- constraint composition_rel_rel_id_fk references acs_rels (rel_id)
+ constraint composition_rel_rel_id_fk references (rel_id)
constraint composition_rel_rel_id_pk primary key
);
The relevant entries in the
- acs_rels look like so.
+ look like so.
-
+
@@ -1032,7 +1026,7 @@
-
+
The composition relationship means that if I add Matt, Mel, and Mary to the
@@ -1059,16 +1053,16 @@
create table group_component_index (
group_id not null
constraint group_comp_index_group_id_fk
- references groups (group_id),
+ references (group_id),
component_id not null
constraint group_comp_index_comp_id_fk
- references groups (group_id),
+ references (group_id),
rel_id not null
constraint group_comp_index_rel_id_fk
references composition_rels (rel_id),
container_id not null
constraint group_comp_index_cont_id_ck
- references groups (group_id),
+ references (group_id),
constraint group_component_index_ck
check (group_id != component_id),
constraint group_component_index_pk
@@ -1080,35 +1074,35 @@
create table group_member_index (
group_id
not null
- constraint group_member_index_grp_id_fk references groups (group_id),
+ constraint group_member_index_grp_id_fk references (group_id),
member_id
not null
- constraint group_member_index_mem_id_fk references parties (party_id),
+ constraint group_member_index_mem_id_fk references (party_id),
rel_id
not null
- constraint group_member_index_rel_id_fk references membership_rels (rel_id),
+ constraint group_member_index_rel_id_fk references (rel_id),
container_id
not null
- constraint group_member_index_cont_id_fk references groups (group_id),
+ constraint group_member_index_cont_id_fk references (group_id),
constraint group_member_index_pk
primary key (member_id, group_id, rel_id)
) organization index;
The group_component_index table stores a flattened representation of the
- group composition hierarchy that is maintained in sync with the acs_rels
+ group composition hierarchy that is maintained in sync with the
and composition_rels tables through triggers.
As far as the group_member_index table goes, I am not sure I understand its
purpose. It maintains group-member relationships that are resolved with respect
to group composition. Note that information stored in
- group_member_index can be trivially derived by joining
- membership_rels,
- acs_rels,
- and group_component_index. Here
+ can be trivially derived by joining
+ ,
+ ,
+ and . Here
is a view that does it. (This view is not part of the OpenACS Kernel data model.)
@@ -1122,23 +1116,23 @@
select
group_id, group_id as component_id
from
- groups
+
union
select
group_id, component_id
from
group_component_index
) gci,
- membership_rels mr,
- acs_rels r
+ mr,
+ r
where
mr.rel_id = r.rel_id
and r.object_id_one = gci.component_id;
A heuristic way to verify that group_member_view is essentially identical
- to group_member_index is to compute the
+ to is to compute the
symmetric difference between the two:
@@ -1149,14 +1143,14 @@
(
select group_id, member_id from group_member_view
minus
- select group_id, member_id from group_member_index
+ select group_id, member_id from
)
union
select
group_id, member_id
from
(
- select group_id, member_id from group_member_index
+ select group_id, member_id from
minus
select group_id, member_id from group_member_view
)
@@ -1165,7 +1159,7 @@
The query returns no rows. The important point is, if we
have a flattened view of the composition hierarchy -- like one provided
- by the group_component_index table --
+ by the table --
membership relationship resolution can be computed trivially with no hierarchical
queries involved. There is no need to keep the view in a denormalized
table, unless doing so results in substantial performance gains.
@@ -1196,7 +1190,7 @@
begin
-- XXX This must be fixed: -1 shouldn't be hardcoded (it is the public)
select decode(count(*),0,'f','t') into exists_p
- from acs_object_party_privilege_map
+ from
where object_id = permission_p.object_id
and party_id in (permission_p.party_id, -1)
and privilege = permission_p.privilege;
@@ -1208,7 +1202,7 @@
The function simply queries
- acs_object_party_privilege_map,
+ ,
which is a humongous view that joins three flattened hierarchies:
the context tree, the privilege hierarchy,
the party composition (and membership) hierarchy. As such,
@@ -1225,7 +1219,7 @@
select count(*)
- from acs_object_party_privilege_map;
+ from ;
@@ -1238,7 +1232,7 @@
select
object_id, party_id
from
- acs_object_party_privilege_map
+
where
privilege = 'foo_create';
begin
@@ -1278,7 +1272,7 @@
one entry that needed to be deleted:
-
+
@@ -1310,7 +1304,7 @@
-
+
The above script would never get around to deleting this entry because it had
@@ -1331,8 +1325,8 @@
gmm.member_id as party_id,
ogpm.privilege
from
- acs_object_grantee_priv_map ogpm,
- group_member_map gmm
+ ogpm,
+ gmm
where
ogpm.grantee_id = gmm.group_id
union
@@ -1341,7 +1335,7 @@
grantee_id as party_id,
privilege
from
- acs_object_grantee_priv_map;
+ ;
@@ -1352,8 +1346,8 @@
a.grantee_id,
m.descendant as privilege
from
- acs_permissions_all a,
- acs_privilege_descendant_map m
+ a,
+ m
where
a.privilege = m.privilege;
@@ -1367,8 +1361,8 @@
p.grantee_id,
p.privilege
from
- acs_object_paths op,
- acs_permissions p
+ op,
+ p
where
op.ancestor_id = p.object_id;
@@ -1381,7 +1375,7 @@
ancestor_id,
n_generations
from
- acs_object_context_index;
+ ;
@@ -1394,7 +1388,7 @@
rel_id,
container_id
from
- group_member_index;
+ ;