- From: Werner Donné <werner.donne@re.be>
- Date: Tue, 15 May 2007 14:44:13 +0200
- To: Tim Olsen <tolsen718@gmail.com>
- Cc: Julian Reschke <julian.reschke@gmx.de>, w3c-dist-auth@w3.org
That is true. You have to join with the ACEs granting or denying the "read", "read-acl", "read-current-user-privilege-set" and "all" privileges. The result set should then be matched with the current user. This can't be part of the same join, because of group memberships. Note that the original result set you fetch from the database, i.e. without ACEs, should be multiplied by the average number of occurrences of the above-mentioned privileges per ACL. This will depend on how well the user organises principals in groups. Werner. Tim Olsen wrote: > > On 5/15/07, Werner Donné <werner.donne@re.be> wrote: >> Indeed, because as soon as one property is also returned an ACL check is >> required for each member, which is expensive if the collection has a lot >> of members, say a few thousand. >> > > If you're using a SQL database, you can optimize this with a proper > SQL query. Just JOIN all the children of a collection against the acl > check you normally do. > > -Tim > > -- Werner Donné -- Re Engelbeekstraat 8 B-3300 Tienen tel: (+32) 486 425803 e-mail: werner.donne@re.be
Received on Tuesday, 15 May 2007 12:43:36 UTC