On Mon, Jan 26, 2009 at 11:58 AM, Daniel J. Lauk <[email protected]>wrote:
> Les, Peter, > > thanks for the details. > > >> Instance-level permissions are very powerful indeed, however, you don't > >> want to create hundreds or thousands of them. Typically my applications > use > >> a mix of logic that requires knowledge of how the application works as > well > >> as permission checks: > > So reducing the count of entries in the DB will speed things up? ;-) :) >> Based on your example, I would only check if someone is allowed to review > >> an entry if they are NOT the reviewer already assigned to the entry. > > Well, actually, nobody but the assigned reviewer is allowed. > As I will have the field around for DB queries anyway, I guess that > permissions don't add value from the app logic point of view. Well, that depends on your app logic ;) For example, most of my applications have a 'root' user and/or a 'administrator' role. Now, when the root user logs in, or someone who has the 'administrator' role logs in, I would want them to be able to see the entry if they so desired. The 'administrator' role would be assigned the "entry:review" permission, allowing them to 'review' any entry. Again, that would be my desire for my application - your application may not allow even an administrator to see such a thing. Nevertheless they add value from the point of view that permissions go > along with functionality as opposed to roles. Absolutely correct. In permission-based systems, Permissions describe raw application functionality - they are the 'what' can be done in an application and have no concept of 'who' can do something. Similarly a Role is merely a named collection of Permissions. They aggregate raw functionality into a 'bundle' of sorts that describes the ability to do multiple things. There is still no 'who' at this level. The users are the 'who'. 'Who' can do 'what' is usually achieved by assigning one or more roles to a user, for example, user.getRoles().add(aRole); If you have a dynamic role system, where you can add/delete roles at runtime, your application code _must_ check against permissions, not roles. Cheers, Les
