I don't understand why the 64 bit limit is a problem. The bits are used to identify operations. The user id should be stored in another field.

There is no possible way your users will think about the security of 64 different operations. Maybe I'm missing something though. Could you list some of the "real" permissions instead of just the read/write/execute example?

I designed a security module that stores object permissions in an ACL table. Each different operation is given a column in the ACL table. If the value of the column is even, permission is denied; if the value is odd, permission is granted.

The data model looks like this: 

ACL (
  item_id integer,
  group_id integer,
  read_access integer,
  write_access integer,
  create_access integer,
  delete_access integer
  ...
)

-- All objects with security assignments have
-- an entry in the item table. Common attributes
-- such as owner, creation date, data retention
-- schedule, dispose-by date, etc. are stored
-- here too.

ITEM (
  id integer,
  ...
)

-- The session table is updated when a person
-- logs in. Hierarchical group memberships are
-- flattened out and inserted into the session
-- table.

SESSION (
  user_id integer,
  group_id integer
)

[download]

Each different object class can implement its own has_user_access method. The base class method does a simple ACL test using this query: 

  select max(read_access)
    from acl, session
    where acl.group_id = session.group_id and
          acl.item_id = :ITEM and
          session.user_id = :USER

[download]

The results of these security tests are cached only for the immediate operation (Apache request object). I use a bit-field, but since it is just a cache, the implementation can change without affecting any other code. After the operation is complete, the cache is thrown away so that security information can not leak between user sessions. (It is not as horrible as it sounds -- the database keeps its own cache so these checks rarely hit the disk.)

In reply to Re: Bitmask or Named permissions by blssu
in thread Bitmask or Named permissions by linux454

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.