W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > April to June 2007

Re: PROPFIND Depth:1 and ACLs

From: Werner Donné <werner.donne@re.be>
Date: Tue, 15 May 2007 14:44:13 +0200
Message-ID: <4649AB1D.2000605@re.be>
To: Tim Olsen <tolsen718@gmail.com>
Cc: Julian Reschke <julian.reschke@gmx.de>, w3c-dist-auth@w3.org

That is true. You have to join with the ACEs granting or
denying the "read", "read-acl", "read-current-user-privilege-set"
and "all" privileges. The result set should then be matched
with the current user. This can't be part of the same join,
because of group memberships.

Note that the original result set you fetch from the database,
i.e. without ACEs, should be multiplied by the average number
of occurrences of the above-mentioned privileges per ACL. This
will depend on how well the user organises principals in groups.

Werner.

Tim Olsen wrote:
> 
> On 5/15/07, Werner Donné <werner.donne@re.be> wrote:
>> Indeed, because as soon as one property is also returned an ACL check is
>> required for each member, which is expensive if the collection has a lot
>> of members, say a few thousand.
>>
> 
> If you're using a SQL database, you can optimize this with a proper
> SQL query.  Just JOIN all the children of a collection against the acl
> check you normally do.
> 
> -Tim
> 
> 

-- 
Werner Donné  --  Re
Engelbeekstraat 8
B-3300 Tienen
tel: (+32) 486 425803	e-mail: werner.donne@re.be
Received on Tuesday, 15 May 2007 12:43:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:15 GMT