Is using the google appengine parent attribute to apply default permissions to an object a good idea?

While hacking together an authorization framework for my web app, I thought a lot of my work would be cut out if by default I applied the following logic. All objects created by a 'User' have a parent being the 'User'. When a query is run to retrieve objects for a view, limit the returned objects by applying the ancestor() property to the Query. This seems in my head simple and sensible would work in all the cases I can think of. No one else seems to have done it though, am I missin开发者_运维技巧g something?

If you aim is to cordon-off all the objects that are related to a single account, then you might want to look at the multi-tenancy features, which are designed to do just this.

If your aim is just to have a convienent way to grab everything created by a single user, then we would need to know more about what your app does.

By setting the User as the parent for everything created by that user, you are placing everything related to that user into a single Entity Group, which means that if users in your application frequently need to update each other's data your might run into issues.

Yes.

This would place all of the user's data in the same entity group, which forces it all to reside on the same datastore node. If you need to update a user's data frequently, storing everything in one entity group is going to increase write contention and generally degrade performance.

The recommended design pattern is to place 2 entities in the same group when they need to be updated in the same transaction. Otherwise, don't use them.