postgresql - How do I minimize round-trips to SQL with user-based authorization? -

-

context: mvc web service backed sql db. have user relation in database, , set of relations reference through chain of fks. example let's have table:

sales_people car_dealership cars

where sales person belongs car dealership, , cars. sales people should able see cars belong specific dealership. have few options here:

i can bake authorization business logic sql query itself:

select * cars c, sales_people sp, car_dealerships cd where c.dealership_id = cd.id , sp.dealership_id = cd.id , sp.id = ? , c.id = ?

assuming caller has verified sales_people id legit , prevents trivial spoofing of id, query above prevent user getting hold of cars aren't his. extended arbitrary # of tables long join isn't massive.

upside? 1 single db call.

downside?

  • the authorization business logic here basic. user referenced 1 of tables? sure, can pass. let's have have more complex access rules. it's might not doable 1 simple query.
  • it's hard tell if user requested unauthorized row or if row authorized doesn't exist, makes error reporting tricky. wouldn't know if should report 200 or 403 (although depending on type of api might want use 200 in these cases prevent exposing information attacker).

the other option see make queries before or after fact validate data indeed accessible user. e.g. list of ids of cars sales person authorized , perform query on subset, or exact other way around.

the upside can make more calls , run more logic in business layer , sophisticated want.

the downside generating more db traffic deal-breaker depending on how frequent request made.

i'm missing few other options here, , i'd love hear how you've solved problem before. there better way?

i think general rule, should make code behave logically, , scale performance in other ways, e.g. bigger more powerful database or caching results.

for application, use multiple queries. i've timed our system, , 5-10 round trips take less 1 ms. that's enough me. i've seen others create complicated stored procedures want. result can return things 403 or 404 database.

i prefer make multiple trips database make code cleaner , easier read. true if load not big. hardware cheap, time not.


Comments

Post a Comment

Popular posts from this blog

javascript - DIV "hiding" when changing dropdown value -

-
this related previous question asked: hide / show multiple divs i have code in place previous question , seems work ok apart when change value in dropdown "after" ticket selection made. i have number of javascrpts in place wondering if there clash somewhere? first bit of code in head of document. <head> <script type="text/javascript"> $(function() { $('.cat_dropdown').change(function() { $('#paymethod').toggle($(this).val() >= 2); }); }); </script> <script type="text/javascript"> $(document).ready(function () { $(".paymentmethod").click(function () { $(".paymentinfo").hide(); switch ($(this).val()) { case "credit card authorisation": $("#pay0").show("slow"); break;
Read more

Does Firefox offer AppleScript support to get URL of windows? -

-
i trying write applescript that, among other things, gets url of every open webpage in firefox. in safari (and chrome), done simply: tell application "safari" return url of every tab in every window however, seems me firefox offers no real applescript support, such getting url of tab or window. when google terms "firefox" , "applescript" together, firefox bug requests asking applescript support restored, last updated in 2010 or 2011 (like this , this ). am right in thinking, then, firefox no longer offers proper applescript support? realize there semi-workarounds, such simulating key-commands in applescript, aren't practical purposes. to see of applescript commands firefox responds to, launch applescript editor, select menu file > open dictionary... , , choose firefox application. you'll find you're expecting: firefox doesn't offer useful applescript commands.
Read more

android - How to install packaged app on Firefox for mobile? -

-
how test-install packaged (zip) app on fennec? device: physical android phone or android emulator, don't care. install mozilla-apk-cli using npm: npm install -g mozilla-apk-cli use generate "debuggable" apk app either source directory or url mini-manifest: mozilla-apk-cli /path/to/source/dir/ arbitrary-name.apk mozilla-apk-cli http://example.com/path/to/mini/manifest.webapp arbitrary-name.apk (context-click > inspect element on "free" button in marketplace discover mini-manifest url app in marketplace.) install apk on android device: adb install -r arbitrary-name.apk launch app on device. notification area notification port remote debugger server listening on. forward port on desktop, f.e. if port 12345: adb forward tcp:12345 tcp:12345 go web developer > connect… in firefox on desktop , connect localhost @ forwarded port. commence debugging! notes: use nightly builds of fennec best experience. bug 929382 tracks
Read more