Re: Optimising a flexibile privilege system

You're getting ahead of yourself. You don't say whether or not you even have a basic version working that takes a second per check. Get something functional and put tests around it so that every optimization can still be checked for correctness. It does no good to have it return in 10 milliseconds if the answer is wrong 10% of the time.

My criteria for good software:

Does it work?
Can someone else come in, make a change, and be reasonably certain no bugs were introduced?

Comment on Re: Optimising a flexibile privilege system

Replies are listed 'Best First'.
Re^2: Optimising a flexibile privilege system by clinton (Priest) on Apr 26, 2006 at 17:51 UTC
I do have a working version but is has the problem of speed for the initial request, and then the changing of a high level intersection of privileges which would affect many cached values. At the moment, if privileges change, I'm just emptying the entire privilege cache, which is not very efficient. So the system works, I just think that it could be better, faster and more scalable, and my question is whether my proposed solution sounds is good : to maintain speed and accuracy at the the expense of table space. The code for checking the inherited permissions is as follows: #=================================== sub inherited_permission { #=================================== my $self = shift; unless (defined $self->{_inh}) { my $object = $self->object; my $object_parent_id = $object->parent_id; my @object_groups = $object->groups; my $own_object_id = $object->id; my @object_ids = ( $own_object_id, @object_groups, $object_parent_id ); my $subject = $self->subject; my $subject_parent_id = $subject->parent_id; my @subject_groups = $subject->groups; my $own_subject_id = $subject->id; my @subject_ids = ( $own_subject_id, @subject_groups, $subject_parent_id ); my $inherited_permission = $self->permission; foreach my $object_id (@object_ids) { foreach my $subject_id (@subject_ids) { next if !($subject_id && $object_id) \|\| ($subject_id == $own_subject_id && $object_id == $own_object_id); my $permission = $self->new({ object => $self->base_class->new($object_id), subject => $self->base_class->new($subject_id) }); $inherited_permission\|=$permission->inherited_permissi +on; } } $self->{_inh} = $inherited_permission & $self->mask; my @saved = delete @{$self}{'_subject','_object'}; $self->save_to_cache; @{$self}{'_subject','_object'}= @saved; } return $self->{_inh}; } [download] (There is some added complexity involved because in my live system, the actual privileges reported depend on the 'status' of each object, so an album of status 'awaiting approval' would grant different privileges to an album of status 'approved'). This is just handled by a series of predefined masks.	[reply] [d/l]

Replies are listed 'Best First'.

Re^2: Optimising a flexibile privilege system
by clinton (Priest) on Apr 26, 2006 at 17:51 UTC

At the moment, if privileges change, I'm just emptying the entire privilege cache, which is not very efficient.

So the system works, I just think that it could be better, faster and more scalable, and my question is whether my proposed solution sounds is good : to maintain speed and accuracy at the the expense of table space.

The code for checking the inherited permissions is as follows:

#===================================
sub inherited_permission {
#===================================
    my $self = shift;
    unless (defined $self->{_inh}) {
        my $object = $self->object;
        my $object_parent_id = $object->parent_id;
        my @object_groups = $object->groups;
        my $own_object_id = $object->id;
        my @object_ids = (
            $own_object_id,
            @object_groups,
            $object_parent_id
        );

        my $subject = $self->subject;
        my $subject_parent_id = $subject->parent_id;
        my @subject_groups = $subject->groups;
        
        my $own_subject_id = $subject->id;
        my @subject_ids = (
            $own_subject_id,
            @subject_groups,
            $subject_parent_id
        );

        my $inherited_permission = $self->permission;
        foreach my $object_id (@object_ids) {
            foreach my $subject_id (@subject_ids) {
                next if !($subject_id && $object_id)
                        || ($subject_id == $own_subject_id 
                            && $object_id == $own_object_id);
                            
                my $permission = $self->new({
                    object   => $self->base_class->new($object_id),
                    subject  => $self->base_class->new($subject_id)
                });
                $inherited_permission|=$permission->inherited_permissi
+on;
            }
        }
        $self->{_inh} = $inherited_permission & $self->mask;
        my @saved = delete @{$self}{'_subject','_object'};
        $self->save_to_cache;
        @{$self}{'_subject','_object'}= @saved;
    }
    return $self->{_inh};
}
[download]

[reply]
[d/l]