>pull out my module

er.... (too english! - moving on.....)..

Sounds like a PLAN - You could post it here daisho?

Nick

Yep, its the two column table that makes the design into 3rd normal form.

The problem - you now need to use inner joins :( its messy trying to write them manually, but something like this will give a list of editors and thier categories:

select editor.name, category.name from
editior inner join isAnEditorOf
on editor.id = iaAnEditorOf.Editor_id
inner join category on
isAnEditorOf.category_id = category.id

Unfortunatly I think it may be a little large to post here. Not sure what the polically correct thing to do in this situation as we should not be having links in the forums. Any suggestions? I'd be happy to share with everyone providing they share any of their cool changes :)

daisho

Wow, I've never done an inner join before! I am beginning to like this idea more though, it seems simpler for what I need but if I could get daisho's understood I think that has some big benefits from the sound of it.

So, in my case, which we'll assume is to make a system that's kind of a cross between DMOZ and just about any forum software you'd care to mention, which would be more appropriate?

Nick

I may be a little bias since it's the way that I did things but I like abstraction. At any time I can really change the way my model works since when I want to do something I always ask the security model "Can daisho do editcategory". The model then replies with a Yes or No. If I change the way the model works then it just uses different logic to see if it's Yes or No.

Though my model definatly adds some complication to the mix and takes some additional setup.

Being a MOD here yourself Nick whats the best way for me to post my security model. It consists of about 5 source files and a table definition file. I can tar.gz it and put it up at my site. Though how do I go about sharing the link?

daisho

>> inner joins

Bah, not that bad. ;)

Ok, so what would an example compound key look like?

>> which would be more appropriate?

Again - I'll default to your decision. daisho's idea is more flexible I think but with aspdaddy's ideas you also gain flexibility. I think the latter is the easier to implement despite the inner joins.

So do I.

Can we get an full explanation Aspdaddy?

And thanks again everyone, this is a real education!

Nick

>compound key

Well thats it , both columns together are the key, because each editor-category pair is unique.
You could add a primary key as well but no need really.

btw- this is no solution for the hierachy/inheritance thing, thats another big and separate problem. This just gets around the problem of allowing multiple records per entity.

>Hierachy

It was an ideal ;) - Another thing I've learnt today is that sometimes balancing realism against the ideaL goal is painful but needed ;)

Nick

>compound key

Why would it need one? - Surely the editor id would be good right?

Nick

no becase an editor edits many cats :)

editor id cat id
========= ======
1 14
1 15
2 12
2 19

Sure, so when I need to look up who the editor is I could get quite a few rows but it'd be:

SELECT edid FROM table WHERE edid = 4 AND catid = 3

So what would be the advantage with a compound key?

Just dont see the theory, I've no doubt you're right ;)

Nick

It essentially gets around the issue of having multiple catIDs in a single field which is one of the results of my original proposal. ShawnR's concept gets around this too.

Primary Key are Unique Keys. Since an editor can show up more than once and a category can show up more than once neither of these are sutable for a Primary Key. But you will never have a repeat of Editor and Cateogry in the same row. That's where the compound key comes in.

<forget it>

Now I get it, you posted at the same time as I was ;-)

Superb!

Added - Of course theres no need for there to be a primary key though is there?

Nick

[edited by: Nick_W at 5:56 pm (utc) on April 30, 2003]

SELECT editor.name, category.name
FROM editor inner join isAnEditorOf
on editor.id = isAnEditorOf.Editor_id
inner join category
on isAnEditorOf.category_id = category.id

This says essentially that I want the editor's name and the category name where the editor's ID exists in the isAnEditorOf table AND that record contains the category ID.

Much easier than using

SELECT edid FROM table WHERE edid = 4 AND catid = 3

as the point is to get all categories the single editor has permissions to and not just to check if the editor can access one.

<nick is blown away...>

Well, can we summarize? - My heads spinning!

[b]editors[/b]
edid ¦ status ¦ name
[b]cats[/b]
catid ¦ title ¦ desc ¦ cat_parent
[b]isEdidtorOf[/b]
edid ¦ catid

That look right for the Schema?

Nick

>> head is spinning

Yours and mine both - and Pubcon finished a few days ago. :)

Let's get the specs down first. It's not a true heirarchy if you want to be able to pick and choose categories. So which is it - top down heirarchy or random categorical assignment?

I think we have to go with the second. It's like the '1000's of levels' thing. Theory is fun but I gotta build this thing soooon! ;)

Nick

>isn't that what I posted in msg1?
it is, sorry I diddnt realise that!

I think (in a relational model at least) you would have to make those 100 inserts, or how else are you storing the fact that you have permission to edit all those cats.

But it wouldnt be often would it? And its only two integers being inserted. Maybe it could be part of the db setup script, rather than production.

I was afraid you'd say that. O daisho... where are yooooouuuu.

Daisho's model is the better of the two for that version. ShawnR's and mine or more for the top down approach but they don't allow for categories on the same level.

The more I think about this the more I see how you could add the hiearchy code that lorax talks about to my model.

The nice thing that I see with my model is that you can add oddball permissions that almost sit outside your hiearchy. Ie if you want moderators to be able to see all IP addresses for submissions in all categories. Just add that permission.

Because of the abstraction you can secure anything. Like I said it wouldn't be to hard to add the hiearchy model to mine which would also let you have you 1000 groups deep model.

daisho.

It has to start with the spec, and whatever way you model it, my guess it will break if the spec changes too much... its just seems like that kind of database to me.

Before writing off the 100 inserts scenario, look at the recursion as that can be expensive too.

<added>
I would follow it through, data models one thing, but you need to write many queries too, inserts, updates, deletes..One design may be easy now but give you trauma when writing the deletes..:(
</added>

[edited by: aspdaddy at 7:32 pm (utc) on April 30, 2003]

Hopefully this is not to long to post but here are the SQL scripts to setup the table schema for my model (without hiearchy). This should allow a little bit better analysis.

As you can see by my initial inserts at the bottom even the rights manager uses it's self to granting access to manage rights :)

daisho.

CREATE TABLE tblaccess_rights (
right_idVARCHAR2(100) NOT NULL,
right_descVARCHAR2(100),
right_detailsVARCHAR2(4000),
right_statusNUMBER(1) DEFAULT 0 NOT NULL,
CONSTRAINT pk_access_right_id PRIMARY KEY (right_id)
);

CREATE TABLE tbladmin_user_rights (
admin_idNUMBER DEFAULT 0 NOT NULL,
right_idVARCHAR2(100) NOT NULL,
CONSTRAINT pk_admin_user_rights PRIMARY KEY (admin_id,right_id)
);

CREATE TABLE tbladmin_group_rights (
group_idNUMBER DEFAULT 0 NOT NULL,
right_idVARCHAR2(100) NOT NULL,
CONSTRAINT pk_admin_group_rights PRIMARY KEY (group_id,right_id)
);

CREATE TABLE tbladmin_user_group (
admin_idNUMBER DEFAULT 0 NOT NULL,
group_idNUMBER DEFAULT 0 NOT NULL,
CONSTRAINT pk_admin_user_group PRIMARY KEY (admin_id,group_id)
);

CREATE TABLE tbladmin_user (
admin_idNUMBER DEFAULT 0 NOT NULL,
admin_loginVARCHAR2(15) NOT NULL,
admin_passwordVARCHAR2(15) NOT NULL,
admin_nameVARCHAR2(50),
CONSTRAINT pk_admin_user_id PRIMARY KEY (admin_id)
);
CREATE UNIQUE INDEX idx_admin_user_login ON tbladmin_user (admin_login);
CREATE INDEX idx_admin_user_password ON tbladmin_user (admin_password);
CREATE SEQENCE seq_admin_id;

CREATE TABLE tbladmin_group (
group_idNUMBER DEFAULT 0 NOT NULL,
group_nameVARCHAR2(50),
CONSTRAINT pk_group_id PRIMARY KEY (group_id)
);
CREATE SEQUENCE seq_group_id;

INSERT INTO tbladmin_group VALUES (seq_group_id.nextval,'Administrators');
INSERT INTO tbladmin_user VALUES (seq_user_id.nextval,'admin','adminpw','The First Administrator');
INSERT INTO tbladmin_user_group values (1,1);
INSERT INTO tblaccess_rights VALUES ('rightsmanager','Rights Manager Access','Granted this access will allow the user to manage (add/edit/delete) access permisstions across the system. Do not remove this access right from yourself or you will no longer be able to use this manager!',0);
INSERT INTO tbladmin_group_rights VALUES (1,'rightsmanager');
COMMIT;

hmmmmm... whats VARCHAR2 daisho?

My mysql don't like it ;(

Also, I don't understand half of those commands, contraint etc.... - I need this to work sooner than it would take to learn it all I think although it looks facinaitng ;)

Nick

Sorry Nick,

This script is an Oracle script. Slightly different things than MYSQL. Change "NUMBER" to "BIGINT" and "VARCHAR2" to "VARCHAR".

The Constraint lines are simplay a different form of doing:

admin_id BIGINT NOT NULL DEFAULT 0 PRIMARY KEY

The reason I use a constraint line rather than putting "PRIMARY KEY" inline is that I can name the key. Easier to look at what's what down the road.

Also for mysql you will want to take out the "CREATE SEQUENCE" commands and then add "AUTO_INCREMENT" command to admin_id and group_id on tbladmin_user and tbladmin_group respectivly. Oracle does not have auto increment columns they have sequences.

Also then with the inserts take out the "seq_admin_id.nextval" and "seq_group_id.nextval" and replace with "NULL" to trigger the autoincrement.

Sounds like a lot but it shouldn't be that much.

daisho.

So Nick, are you all set with this? Have it up and running now?!

Wow what a thread... I must admit my eyes glassed over by the time I read aspdaddy and daisho's last posts :) ...but just wanted to throw this in to the pile before this thread wrapped up. See if this makes sense:

two tables, two looks ups, unlimited heirarchy.

editor
editorID ¦ catID

relationships
catID ¦ parent

So for a heirarchy like:
/grandparent/parent/child

...the relationship table would look like (using names just for example):

relationships
parent ¦ grandparent
child ¦ parent
child ¦ grandparent

you only edit the relationships table when you add a level. So if you add 'grandchild' making the heirarchy:
/grandparent/parent/child/grandchild

...then the relationship table looks like:
relationships
parent ¦ grandparent
child ¦ parent
child ¦ grandparent
grandchild ¦ child
grandchild ¦ parent
grandchild ¦ grandparent

So to find out who can edit the 'child' category, first you query the relationships table for all the parents to 'child' which are 'parent' and 'grandparent'.

Then you query the editor table for:
catID='child' OR catID='parent' OR catID='grandparent'

Sorry I missed all the action; it was way past my bed time in Sydney...

Just to give my thoughts on some of the posts that occured since I left...

msg#24, lorax: "...how far to go with normalization depends upon the number of levels required... I tend to err on the side of practicality in these cases..."

Agree 100% in going for practicality. That is what I meant by "...in which case the above might not be the best way to go, and the fastest code is unlikely to be normalised code. ..." (msg#11). However, the deviations from normalisation that I had in mind did not include stringing together foreign keys and putting them in a text field. That doesn't help with speed or efficiency or even ease of coding. Instead of that sort of implementation, just use a join table which takes the two foreign keys, like the 'perms' table in Nick's 1st post.

msg#25, Nick:"...is there a way to use Shawns approach AND allow a editor to have 2 or more cats?..."

That is what I meant when I asked (msg#11): "...>>Is it possible for an editor to have 2 roles? e.g. mod for "css" and admin for "Search engine world" ..." If the answer is 'Yes', then see msg#20.

msg#26, aspdaddy:"...But - categories-editors is a many-to-many relation..."

As above, see msg#20. Haven't heard the term 'link group' before, though. The term I'm familiar with is join table. Seems to be the same thing :). I agree a composite key is better than the unused primary Key "unused_pkID" I had in msg#20.

msg#50, aspdaddy:"...I think (in a relational model at least) you would have to make those 100 inserts, or how else are you storing the fact that you have permission to edit all those cats. ..."

Disagree. However, the look-up would be more complex. Basically a recursive lookup, starting from the category where the editor has permissions, and doing a select to find all the other categories which have parent_catID equal to that category; then a select to find all their children, then a select to find all their children, etc... until you get to the leaves. As I said before, max lookups = number of levels in hierarchy. Similarly, if you want to find out whether an arbitrary editor has rights to an arbitrary cat, just test: Is the catID = to the editor's catID, if no, is the parent_catID = to the editor's catID, etc until you either find it or you are at the top and haven't found it. Again, max lookups = number of levels in hierarchy. Average lookups much less.

msg#58, jamesa:"...relationships
parent ¦ grandparent
child ¦ parent
child ¦ grandparent
..."

If there are only of the order of less than 100 levels, I don't like this solution. It is not Normalised, and carries redundant information. (I can figure out who my grand parent is if I know who my parent is and I know who my parent's parent is.) The danger is data integrity, as various maintanance activities are more complex.

So, my recommendation: A hybrid of:

• daisho's suggestion, or what I suggested in msg#20, for the security profile part,
  and
  
• what I suggested in msg#11 or msg#20 for the hierarchy part.
  

Hope all this is not too late...

Thanks all for a fascinating thread. Hope my comments above don't come across as negative, and please accept my apology for terms like 'my suggestion'... In truth we were all saying very similar things, and very close to what was already in msg#1, so it was really a collaborative effort (well it was, until daisho hauled out actual code! ;) )

Shawn

...so it was really a collaborative effort (well it was, until daisho hauled out actual code! ;) )

Shawn

Sorry about that Shawn. Just sounded like nick needed to get going on things. Sometimes I find it hard to just talk abstract and like seeing schema definitions. Please comment on anything you see. I am very excited in this thread and am anxious to expand my security class with some of the comments made here. Namely I will be adding some type of hiearchy support. Just have to figure out the way I want to do it.

daisho.