The Design of Software (CLOSED)

A public forum for discussing the design of software, from the user interface to the code architecture. Now closed.

The "Design of Software" discussion group has been merged with the main Joel on Software discussion group.

The archives will remain online indefinitely.

Help modeling User/Group permissions

As RoR learning excercise I'm trying to create a basic cms with some permissions.  Basically, I have Users, Articles and Groups.  Users can have a role of either: Author or Viewer.  Some articles are private and some are public.  For private articles, I'd like to have a system where an article can be permissioned to either a group or to an individual user
or even both.


When a website visitor tries to access an article AND the article is 'Private', I'd like for the system to prompt the visitor to login. Once logged in, I want the system to then check if this user has permission to view the article.  Permission being defined as:  if this
user is either in a group that has permission to the article OR the user himself has explicit permission to that article.


Here's what I currently have - does this make sense?  I'm mostly struggling with the Article_Private_Access model and whether this is a good approach.


Users:
  name
  email
  password
  role    (role is either 'Author' or 'Viewer')


Group_Users
  group_id
  user_id

Groups:
  name

Articles
  user_id
  access_type  ('Private' or 'Public')
  title
  body


Article_Private_Access  (** this serves to link Articles with permissioned Users or Groups)
  article_id
  access_type  ('Group' or 'User')
  access_id    (this id would point to either a User  record, or a Group record)


I'm just not sure whether to use the Article_Private_Access table and/or how to model it.  I was thinking this table would contain a list of Users and/or Groups that had access to a particular Article.  But I'm a bit lost now....

Any help would be greatly appreciated.
Jim Jones Send private email
Tuesday, May 01, 2007
 
 
The "flaw" with your current scheme is that users and groups are exclusive. For example, Joel may want to publish announcements of his products to a Windows XP users' group, but choose not to be a member of the group itself due to spam. (To be fair, you may wish to prevent that sort of thing but it's handy to have a "superuser" or a "supermoderator" outside of the group in question.)

So you really have two things you need to check: a list of explicitly named people who are allowed to access the article, and a separate, list of groups allowed to access the article. If the person is on either list in some fashion, you determine if he has write access (authors), otherwise default to read access (viewers).

I would drop the article_private_access table, and instead modify the articles table to have 1:N relationships with the users and groups.  Within that relationship table, include the level of access.  For example...

article id, userid, write
----------- ------- ------
02937847321 0000001 Yes
02937847321 0000002 No
02937847321 0000004 No

You'll notice that user #3 is not on the list. He does not have permission - as a user - to access the article, although he may have permission as a member of a group.
TheDavid
Tuesday, May 01, 2007
 
 
Thanks for the response.

I'm not sure I completely follow.  In the example you give are you referring to the Articles table or the Groups_Users table? 

I was sort of thinking of keeping Permissions to Articles and User/Groups separate.  I'm trying to have a very easy way to quickly add users to groups, and then apply those groups to published Articles for permissioning.
Jim Jones Send private email
Tuesday, May 01, 2007
 
 
There is an articles table, a groups table, and a users table. There are two relationship tables: articles-groups and articles-users. So in this example (primary keys are marked with a pk, foreign keys are marked with an fk)...

articles
  article id (pk)
  article text

users
  user id (pk)
  user name

groups
  group id (pk)
  group name

article-users
  article id (fk)
  user id (fk)
  write privilege?

article-groups
  article id (fk)
  group id (fk)
  write privilege?

Therefore, to see if group "Windows XP" has read permission to the article on security holes, you'd see if there's a row with that group id and that article id in the article-groups table. No row means no access.

So far so good?
TheDavid
Tuesday, May 01, 2007
 
 
Oh yeah, I forgot. To add users to groups, you just need an additional relationship table, specifically...

group-users
  group id (fk)
  user id (fk)
TheDavid
Tuesday, May 01, 2007
 
 
The way I've handled this in the past, which makes the checking for access a bit nicer, is to only have a link between Groups and (in your case) Articles. To allow the more specific permissions, all users are created alongside a group (that share's their name) to which they belong.
G Jones
Sunday, May 06, 2007
 
 
I'm a fan of:

-tblUser
pkUser
strUser
...

// each user belongs to at least his own group
-tluGroup
pkGroup
strGroup

-tjxGroupUser
lkGroup
lkUser

-tblArticle
pkArticle
...

// could add moderator, super-user, etc.
-tluAccess
pkAccess
strAccess

-tjxArticleGroupAccess
fkArticle
lkGroup
lkAccess

FWIW,
Gecko Send private email
Sunday, May 06, 2007
 
 

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
 
Powered by FogBugz