Pathologically Eclectic Rubbish Lister | |
PerlMonks |
Re: Bitmask or Named permissionsby blssu (Pilgrim) |
on Oct 07, 2003 at 14:36 UTC ( [id://297300]=note: print w/replies, xml ) | Need Help?? |
I don't understand why the 64 bit limit is a problem. The bits are used to identify operations. The user id should be stored in another field. There is no possible way your users will think about the security of 64 different operations. Maybe I'm missing something though. Could you list some of the "real" permissions instead of just the read/write/execute example? I designed a security module that stores object permissions in an ACL table. Each different operation is given a column in the ACL table. If the value of the column is even, permission is denied; if the value is odd, permission is granted. The data model looks like this:
Each different object class can implement its own has_user_access method. The base class method does a simple ACL test using this query:
The results of these security tests are cached only for the immediate operation (Apache request object). I use a bit-field, but since it is just a cache, the implementation can change without affecting any other code. After the operation is complete, the cache is thrown away so that security information can not leak between user sessions. (It is not as horrible as it sounds -- the database keeps its own cache so these checks rarely hit the disk.)
In Section
Seekers of Perl Wisdom
|
|