The Design of Software (CLOSED)

A public forum for discussing the design of software, from the user interface to the code architecture. Now closed.

The "Design of Software" discussion group has been merged with the main Joel on Software discussion group.

The archives will remain online indefinitely.

Help modeling User/Group permissions

As RoR learning excercise I'm trying to create a basic cms with some permissions.  Basically, I have Users, Articles and Groups.  Users can have a role of either: Author or Viewer.  Some articles are private and some are public.  For private articles, I'd like to have a system where an article can be permissioned to either a group or to an individual user
or even both.

When a website visitor tries to access an article AND the article is 'Private', I'd like for the system to prompt the visitor to login. Once logged in, I want the system to then check if this user has permission to view the article.  Permission being defined as:  if this
user is either in a group that has permission to the article OR the user himself has explicit permission to that article.

Here's what I currently have - does this make sense?  I'm mostly struggling with the Article_Private_Access model and whether this is a good approach.

  role    (role is either 'Author' or 'Viewer')



  access_type  ('Private' or 'Public')

Article_Private_Access  (** this serves to link Articles with permissioned Users or Groups)
  access_type  ('Group' or 'User')
  access_id    (this id would point to either a User  record, or a Group record)

I'm just not sure whether to use the Article_Private_Access table and/or how to model it.  I was thinking this table would contain a list of Users and/or Groups that had access to a particular Article.  But I'm a bit lost now....

Any help would be greatly appreciated.
Jim Jones Send private email
Tuesday, May 01, 2007
The "flaw" with your current scheme is that users and groups are exclusive. For example, Joel may want to publish announcements of his products to a Windows XP users' group, but choose not to be a member of the group itself due to spam. (To be fair, you may wish to prevent that sort of thing but it's handy to have a "superuser" or a "supermoderator" outside of the group in question.)

So you really have two things you need to check: a list of explicitly named people who are allowed to access the article, and a separate, list of groups allowed to access the article. If the person is on either list in some fashion, you determine if he has write access (authors), otherwise default to read access (viewers).

I would drop the article_private_access table, and instead modify the articles table to have 1:N relationships with the users and groups.  Within that relationship table, include the level of access.  For example...

article id, userid, write
----------- ------- ------
02937847321 0000001 Yes
02937847321 0000002 No
02937847321 0000004 No

You'll notice that user #3 is not on the list. He does not have permission - as a user - to access the article, although he may have permission as a member of a group.
Tuesday, May 01, 2007
Thanks for the response.

I'm not sure I completely follow.  In the example you give are you referring to the Articles table or the Groups_Users table? 

I was sort of thinking of keeping Permissions to Articles and User/Groups separate.  I'm trying to have a very easy way to quickly add users to groups, and then apply those groups to published Articles for permissioning.
Jim Jones Send private email
Tuesday, May 01, 2007
There is an articles table, a groups table, and a users table. There are two relationship tables: articles-groups and articles-users. So in this example (primary keys are marked with a pk, foreign keys are marked with an fk)...

  article id (pk)
  article text

  user id (pk)
  user name

  group id (pk)
  group name

  article id (fk)
  user id (fk)
  write privilege?

  article id (fk)
  group id (fk)
  write privilege?

Therefore, to see if group "Windows XP" has read permission to the article on security holes, you'd see if there's a row with that group id and that article id in the article-groups table. No row means no access.

So far so good?
Tuesday, May 01, 2007
Oh yeah, I forgot. To add users to groups, you just need an additional relationship table, specifically...

  group id (fk)
  user id (fk)
Tuesday, May 01, 2007
The way I've handled this in the past, which makes the checking for access a bit nicer, is to only have a link between Groups and (in your case) Articles. To allow the more specific permissions, all users are created alongside a group (that share's their name) to which they belong.
G Jones
Sunday, May 06, 2007
I'm a fan of:


// each user belongs to at least his own group



// could add moderator, super-user, etc.


Gecko Send private email
Sunday, May 06, 2007

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
Powered by FogBugz