stackoom
  简体   繁体   中英

Understanding Web App Permissions with MySQL

 原文  2017-05-21 13:59:11       mysql/ web-services/ security/ permissions/ acl

Question

Assume I have a schema defined with the 4 following entities: 

Users 
  -> Timeline (fk: userId)
    -> Entries (fk: timelineId)
      -> Tags (fk: entryId), where fk means foreign key.

Now, let's say I want to check in the web application if a user has permission to delete a particular tag. Right now I use Basic Authentication, check if the user's email // password exist in the database, and if so, grab the userId.

Because of the userId only existing on the Timeline entity, I feel like I'd need to do the following: 

DELETE t.* FROM `tags` AS t
  INNER JOIN `entries` AS e ON t.entryId = e.id
  INNER JOIN `timelines` AS tl ON e.timelineId = tl.id
WHERE
  tl.userId = ? AND
  t.id = ?

This approach works, but I feel like it would be inefficient. Instead, I could add a userId FK to every single table such as the tags, but that also seems like a maintenance nightmare.

I can't think of any other approaches other than implementing some other type of permission system, such as using an ACL. Any suggestions?

2 answers

solution1
 1  2017-05-22 09:50:10

I think you can choose from a few options:

  • leave it as is until it actually becomes a problem and fix it then (it probably won't be a problem, there's a lot of optimization in MySQL)
  • add foreign keys to tables as you proposed and take the overhead on changes (your models / data access layer should hide the problem from higher layers anyway)
  • implement some kind of custom caching
    • you can either create something like a cache table, probably in a nosql database like Redis, which would be very fast (once a permission is retrieved, it can live in the cache for a while, but be aware of consequences, for example permission changes will not be immediate)
    • you can use memcache
    • you can do custom in-memory caching in your app (be careful with using the session for this, session-related vulnerabilities might allow an attacker more access than you intended)

Basically and in general it's a compute / storage tradeoff I think. You either compute permissions every time or store them pre-computed somewhere, which means you need to re-compute them sometimes (but probably not all the time).

The right solution depends on your exact scenario. My experience is that in most cases it's not worth to fix something that is not broken yet (unless of course you know it will not work that way in the scenario you want to use it in).

solution2
 0  2017-05-21 14:07:14

Check out foreign keys here . You can simply add relationships through MySQL to the other tables, and cascade delete when the parents get removed.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question MySQL Web User permissions Access denied authorization - how to check for user permissions in web app? Update mysql in Web app Mysql for small web app Understanding Docker for providing services like web, mysql or similar Connect web app to mysql database MySql connection managment with web app A rails web app, quickbooks, and mysql MySQL callback to the web-app Java web app + mySQL in-app on Azure
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM