Featured Posts

Supreme Court Rules Against FCC, Net Neutrality Not a good day for net neutrality... A federal court threw the future of Internet regulations into doubt Tuesday with a far-reaching decision that went against the Federal...

Read More »

The Fog Machine has Arrived My Chauvet Hurricane 1300 arrived today. First thing's first--immediately unpack it, add some fog juice, and play! [caption id="attachment_81" align="aligncenter" width="225"...

Read More »

Realestate Manager 2.0 Picture Preview Since Real Estate Manager 2.0 is now almost ready for release, I figured I would share the differences between the current version (1.1) and 2.0. To start things off, the...

Read More »

Automotive Manager Photo Update It's been less than 2 months since I started on Automotive Manager. In that time, I've taken the thing from next to nothing to an almost complete product. I'm not sure how...

Read More »

The New GreeneCountyIndiana.com Since about March I have been working (rather slowly) on a new content management system for GreeneCountyIndiana.com. Along with it comes a new layout and many new features. The...

Read More »

Chuck’s Blog Rss A scary bee!!!

Complex Associations and Access Control

Posted on : 12-04-2009 | By : Chuck | In : Uncategorized


Decided to get back to work some on the new Content Management System for GreeneCountyIndiana.com. Last time I left off, I was in the process of implementing access control with the News system.

The news system (and lots of other parts of the site) are composed of a variety of associations.

  • News belongsTo NewsCategory
  • News HABTM Tag
  • NewsCategory is an ACO

Access is controlled at the NewsCategory level. You must have read access to the NewsCategory to view the articles in that category. This is easy if you simply want to view articles by category. However, it gets considerably more complicated if you want to browse-by-tag or other criteria.

How in the world can you do a permissions check without requiring an extra query for every single article?

It also doesn’t help that pagination is used, so most means of removing records the user doesn’t have access at the controller level will screw up pagination. In theory you could have empty pages if a user had very limited read access.

Man, access control is complicated.

Write a comment