I'm having a bit of a problem figuring out a good way to manage row-level permissions for an API i'm building.
Let's assume three tables:
List
Notes
Note comments
Notes references the list it belongs to in a list_id column
Note comments references the note it belongs to in a notes_id column
I want to be able to load all the comments that a user has access to at once. If the user has access to a list i'd like the user to also have access to the notes referencing that list, as well ass the note comments referencing any of those notes.
Is there any specific good practice for this?
Thanks!
There are several... But i'd go for proven complete solutions like using and ORM of sorts... (doctrine2 comes to mind)
But you could just write your own with some simple joins ;)
Related
I've modeled the following UML for the database of our website (uni project):
However, I can't seem to find how to convert to SQL the generalization case between Post, Story and Comment. My teacher suggested to use the same table, but I think that limits me if I want to add more features, like tags for stories. Right now I already have two extra relations: a post can have several child comments, and a story belongs to a specific channel.
Should I follow my teacher's suggestion? Or should I use 3 classes?
Since your class hierarchy has only two subclasses that come with only 3 additional properties (title, channel and post), you should use the Single Table Inheritance approach. Even when you may add a few more properties/methods later on, this will be the best choice, since implementing your class hierarchy with multiple tables would imply a much greater effort/overhead.
You can read more about this choice in the section Representing class hierarchies with SQL database tables (of a tutoral on handling class hierarchies in a JavaScript front-end web app authored by me).
As always it depends. Having a single table has the advantage of accessing related post info in a simple query and just looking at a flag inside the column telling what kind of object you're dealing with. Having separate tables is a more "academic" way of solving it since you (as you noticed) have object information separated.
I'd probably go with the single table approach in this case. But - YMMV - you can as well stick to your 3 table approach. There might come other opinions here. Just wait a few days to decide :-)
The project that I am working on requires a sort of sharing functionality meaning that when a person creates an exercise they can choose to share that exercise with another person and append a certain permission to that exercise (i.e read, write, or execute).
I have three tables(all of which have models): users, exercises, and permissions. In the middle I have an exercise_permission_user table that only has three columns: exercise_id, permission_id, and user_id all of which are foreign keys that point back to their respective tables.
The problem comes with establishing a three way many to many relationship among these tables in Laravel 5. More specifically, when a person shares an exercise, I need to input the id's of the exercise being shared, the user it is being shared with, and the permission that is being appended into the exercise_permission_user table. I then need to be able to query the user_id of this table and see all exercises that are being shared with a certain user. If the user Mike has an ID of 3, then I would like to query the middle table for that ID and find the exercise he has access to as well as the permission that he is being granted.
I am still in the learning process when it comes to eloquent so any help would be greatly appreciated. I am not necessarily looking for someone to build this for me, just some help that will give me the information necessary to do it on my own. Thanks to all that help!
I've struggled with this issue a couple of times. As far as I could research, I didn't find a Laravel native way of coding this kind of three way many to many relationship. What I generally do is to create a model for the pivot table. So, a SharedExercise model (or the name you want to use) with a protected $table property set as 'exercises_permission_user'. Inside that model you set the relationships with user, exercises and permissions. Then, you can write:
$sharedExercises = SharedExercise::where('user_id', $userId)->get();
Pay attention to the table and model naming. I usually name tables using laravel's conventions, but when I have this 3 way many to many, I try to find a more describing name than the convention. So, for example instead of exercises_permission_user and ExercisePermissionUser model, maybe shared_exercises and SharedExercise names are better.
Note that this isn't THE way to do it. It's how I do it as a result of not finding a convention in the documentation.
I have a site that has different type of products with different specifications for each of them.
I want to be able to use only one products table with a set of columns but because columns are different depending on what type, I have to create multiple products table catering for each type. This I think is time consuming and not really effective way to manage as an ongoing solution.
Is there a good way to manage this type of scenario with the database?
I'm using Cakephp as the framework.
Normalise your data structure: for example, have a product_info table (with FK into the products table) that contains columns key and value to express additional information about each product.
Martin Fowler lists three general approaches.
Single table - Putting all the columns in one table and only using the ones you need (this sounds the closest to what you have)
Class table - All classes have their own table storing data specific to that class (with the same primary key in every relevant table)
Concrete table - The same as above, but only concrete classes have tables, not abstract ones.
Single table is the simplest unless you have a good reason not to - just have all possible fields there, and only use the ones you need in each class. You do have the disadvantage of not being able to enforce NOT NULL; if this matters, either make a custom constraint depending on the type of object, or use option 2 or 3.
I wrote about using the EAV model with cake a little while ago, I think this post might be helpful, but slightly outdated.
http://nuts-and-bolts-of-cakephp.com/2010/07/27/keyvalue-tables-and-how-to-use-them-in-cakephp-1-3/
Also, this could be very helpful for your particular question... Please take a look and study some concepts in Magento (a very popular PHP-based ecommerce framework) makes heavy use of EAV schemas and does a nice job of indexing and flattening the data.
You can certainly gain a lot of interesting perspective on EAV implementation. Whether you love it or not is a different story :)
Let's say I have three tables: users, books, and users_books.
In one of my views, I want to display a list of all the books the current user has access to. A user has access to a book if a row matching a user and a book exists in users_books.
There are (at least) two ways I can accomplish this:
In my fetchAll() method in the books model, execute a join of some sort on the users_books table.
In an Acl plugin, first create a resource out of every book. Then, create a role out of every user. Next, allow or deny users access to each resource based on the users_books table. Finally, in the fetchAll() method of the books model, call isAllowed() on each book we find, using the current user as the role.
I see the last option as the best, because then I could use the Acl in other places in my application. That would remove the need to perform duplicate access checks.
What would you suggest?
I'd push it all down into the database:
Doing it in the database through JOINs will be a lot faster than filtering things in your PHP.
Doing it in the database will let you paginate things properly without having to jump through hoops like fetching more data than you need (and then fetching even more if you end up throwing too much out).
I can think of two broad strategies you could employ for managing the ACLs.
You could set up explicit ACLs in the database with a single table sort of like this:
id: The id of the thing (book, picture, ...) in question.
id_type: The type or table that id comes from.
user: The user that can look at the thing.
The (id, id_type) pair give you a pseudo-FK that you can use for sanity checking your database and the id_type can be used to select a class to provide the necessary glue to interact the the type-specific parts of the ACLs and add SQL snippets to queries to properly join the ACL table.
Alternatively, you could use a naming convention to attach an ACL sidecar table to each table than needs an ACL. For table t, you could have a table t_acl with columns like:
id: The id of the thing in t (with a real foreign key for integrity).
user: The user the can look at the thing.
Then, you could have a single ACL class that could adjust your SQL given the base table name.
The main advantage of the first approach is that you have a single ACL store for everything so it is easy to answer questions like "what can user X look at?". The main advantage of the second approach is that you can have real referential integrity and less code (through naming conventions) for gluing it all together.
Hopefully the above will help your thinking.
I would separate out your database access code from your models by creating a finder method in a repository class with an add method like getBooksByUser(User $user) to return a collection of book objects.
Not entirely sure you need ACLs from what you describe. I maybe wrong.
I read about an inheritance feature in PostgreSQL that seemed pretty neat. Unfortunately I am forced to use MySQL. How would you do something similar in a clean way?
Say you for example had the two following classes that you want to work with:
User
˪ Id
˪ Name
˪ Password
Employee : User
˪ Pay
How would you store those in a MySQL database so that they can be fetched from for example PHP in a fairly clean way? I need to for example be able to fetch all users including employees, only employees, find if a user is also an employee, et cetera.
Looking for general advice and not a specific solution to this case. I for example see that I could simply add a nullable Pay column to a Users table, but I don't really like that idea as it would quickly become very messy if more sub-classes were needed.
Add a field to Employee which is a foreign key to User. You'd still have to perform a join across the tables, but it's better than nothing.