tags:

views:

58

answers:

2
Q: 

Permission based on one column - secure?

Hi, I am developing an early version of my site and before I create the production version, I'd like people's opinions on whether I'm going about things the right way. The main objective is to allow users to share playlists. I have the User table (ASP.NET Membership), Playlist table and a permission table. I'd like a user to create a playlist and grant/deny access to it for a given user. My approach to this is to have the permission table contain a "pStatus" column where 0/null = deny, 1 = read. When a user requests permission to access a playlist, the creator chooses the pStatus enumeration. The column is then changed accordingly for the recipient. When accessing the recipient's profile page, a scan of the column is done to check all playlists the recipient has access to and the relevant playlists are displayed. Is this an efficient and secure way of doing things? Or is relying on one column not enough?

(nb - playlists can be considered to be similar to Facebook groups)

Thanks for any advice

+1  A: 

So Permission has foreign keys to User and Playlist. Is there any reason for the third column specifying permission level? It sounds like it should be: If a row exists in Permission, the user is allowed to access the playlist.

Otherwise, that sounds good to me.

Dark Falcon  2009-10-18 00:08:15
I might be using three settings (none, read and write) so the third column would specify the setting.Thanks
keyboardP  2009-10-18 10:40:46
+1  A: 

I would use some sort of bitmask in the n-m relation table I'm guessing is in between User and PlayList (i.e. a table named UserPlaylist, because 1 user can have access to more than 1 playlist and vice versa 1 playlist can be accessed by more than 1 user).

If you define the needed permission levels up front (i.e. 0 = no access, 1 = read, 2 = write, etc.), you can just add a column to the UserPlayList table, that represents the access level.

So the UserPlaylist table will have 2 foreign key columns of which the combination should be unique (i.e. define the primary key to be the 2 foreign key columns) and a column that holds the level of access in the form of a bit / integer.

Colin  2009-10-18 03:30:10
My permission table is essentially the UserPlaylist table, but I had an extra PK table (incrementing int) for each record. I'll remove that column and use the combination of User and Playlist as the PK.Thanks
keyboardP  2009-10-18 10:42:52

related questions

How to find an implementation of a C# interface in the current assembly with a specific name?
Learning about LINQ
LINQ to SQL Mapping From Money to Double
SQL Server 2008 vs 2005 Linq integration
Aging Data Structure in C#
LINQ-to-SQL vs stored procedures?
LINQ, entity that implements Interface and exception in mapping
How can I remove nodes from a SiteMapNodeCollection?
Conditional Linq Queries
LINQ query on a DataTable
Expression.Invoke in Entity Framework?
How to return a page of results from SQL?
Import Namespace System.Query
Has anyone run performance benchmarks comparing LINQ
Beginners Guide to LINQ
Querying like Linq when you don't have Linq.
Linq to objects - select first object
C# 3.0 Where extension method with lambda vs LINQtoObjects to filter in memory collections.
How much database performance overhead when using LINQ?
LinqDataSource - Can you limit the amount of records returned?
LINQ on the .NET 2.0 Runtime
How do I most elegantly express left join with aggregate SQL as LINQ query
How do you page a collection with LINQ?
How do I get a distinct, ordered list of names from a DataTable using Linq
How do I fill a DataSet or a DataTable from a LINQ query resultset ?