了解MySQL的Web App权限
[英]Understanding Web App Permissions with MySQL
问题描述
Assume I have a schema defined with the 4 following entities: 
假设我有一个使用以下4个实体定义的架构:
Users
-> Timeline (fk: userId)
-> Entries (fk: timelineId)
-> Tags (fk: entryId), where fk means foreign key.
Now, let's say I want to check in the web application if a user has permission to delete a particular tag. 现在,假设我要在Web应用程序中签入用户是否有权删除特定标签。 Right now I use Basic Authentication, check if the user's email // password exist in the database, and if so, grab the userId. 现在,我使用基本身份验证,检查数据库中是否存在用户的电子邮件//密码,如果存在,请获取userId。
Because of the userId only existing on the Timeline entity, I feel like I'd need to do the following: 由于userId仅存在于时间轴实体上,因此我需要执行以下操作:
DELETE t.* FROM `tags` AS t
INNER JOIN `entries` AS e ON t.entryId = e.id
INNER JOIN `timelines` AS tl ON e.timelineId = tl.id
WHERE
tl.userId = ? AND
t.id = ?
This approach works, but I feel like it would be inefficient. 这种方法有效,但我觉得效率不高。 Instead, I could add a userId FK to every single table such as the tags, but that also seems like a maintenance nightmare. 取而代之的是,我可以将userId FK添加到每个表(例如标签),但这似乎也像一场维护噩梦。
I can't think of any other approaches other than implementing some other type of permission system, such as using an ACL. 除了实现某种其他类型的权限系统(例如使用ACL)之外,我无法想到任何其他方法。 Any suggestions? 有什么建议么?
2 个解决方案
解决方案1
1 2017-05-22 09:50:10
I think you can choose from a few options: 我认为您可以从以下几种选择中进行选择:
- leave it as is until it actually becomes a problem and fix it then (it probably won't be a problem, there's a lot of optimization in MySQL) 使其保持原状,直到它真正成为问题并加以解决(这可能不会有问题,MySQL中有很多优化)
- add foreign keys to tables as you proposed and take the overhead on changes (your models / data access layer should hide the problem from higher layers anyway) 按照您的建议向表中添加外键,并承担更改的开销(您的模型/数据访问层无论如何应该将问题隐藏在更高层中)
- implement some kind of custom caching 实现某种自定义缓存
- you can either create something like a cache table, probably in a nosql database like Redis, which would be very fast (once a permission is retrieved, it can live in the cache for a while, but be aware of consequences, for example permission changes will not be immediate) 您可以在高速缓存表(可能在Redis这样的nosql数据库)中创建高速缓存表之类的东西,这会非常快(一旦检索到权限,它就可以在高速缓存中保留一段时间,但要注意后果,例如更改权限)不会立即生效)
- you can use memcache 你可以使用内存缓存
- you can do custom in-memory caching in your app (be careful with using the session for this, session-related vulnerabilities might allow an attacker more access than you intended) 您可以在应用中进行自定义的内存缓存(为此请谨慎使用会话,与会话相关的漏洞可能会让攻击者获得比预期更多的访问权限)
- you can either create something like a cache table, probably in a nosql database like Redis, which would be very fast (once a permission is retrieved, it can live in the cache for a while, but be aware of consequences, for example permission changes will not be immediate)
Basically and in general it's a compute / storage tradeoff I think. 基本上,总的来说,这是我认为的计算/存储权衡。 You either compute permissions every time or store them pre-computed somewhere, which means you need to re-compute them sometimes (but probably not all the time). 您要么每次都计算权限,要么将它们预先计算后存储在某个地方,这意味着您有时需要重新计算它们(但可能并非始终如此)。
The right solution depends on your exact scenario. 正确的解决方案取决于您的实际情况。 My experience is that in most cases it's not worth to fix something that is not broken yet (unless of course you know it will not work that way in the scenario you want to use it in). 我的经验是,在大多数情况下,不值得修复尚未损坏的东西(除非您当然知道在您要使用的情况下它不会以这种方式工作)。
解决方案2
0 2017-05-21 14:07:14
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.