Folder permissions based on users and groups

Hey Im working on a folder tree and need to be able to limit the visibility of certain folder based on the user and the group they belong to. I alr开发者_如何学Ceady have a database representation of all the folders in the tree and the hierarchy of the folders. My question now is how to best represent the permissions.

If I have to possibly look up permissions in a separate table for each folder out there, this could get expensive ( I am granting that because of the hierarchy, we can hide all children of a hidden folder node so they can be discounted).

Does anybody have any good models and algorithms that would make this better? I figure unix file systems have been doing it for awhile, so there must be some really good ideas about how to model this problem.

Note that in the model I am dealing with there is no "owner" of the folder. A folder can be visisble to a user on a case by case basis.

I'm using Java and Mysql btw

I guess it depends on how your system will be used, specifically the number of users & folders.

You could:

build entire folder structure per user each time a user "logs on"

Gives you fast traversal, with a higher initial overhead (depending on what your application is this may not be noticable)

build single level folder structure each time a user changes their current working folder

Removes any initial overhead, for users who don't change folders there's no performance cost

As for representing the permissions, you might want to look at how the NTFS permission model works, you can grant or revoke permissions, and set them to inherit or not. This is probably the most complicated you could get, if you can simplify to not handle revoked permissions and always inherit you just need to traverse the folder hierarchy from top down until you find a grant or terminate. Depending on how you allow users to navigate your structure you can nicely simplify this to just listing nodes under the current folder that a user can see, as they must already implicitly be able to see the current folder.

Schema wise you have a many-to-many relationship between folder & user/group (you can should you wish model users and groups as a single entity), your permission object is either a simple boolean, or a more complex object depending on what permission types you want to support. I'd setup something like this, using one of the isValid methods depending on how complex your model is.

On a basic level, the best thing to do is go with your first instinct and create a look-up table for the permissions against the unique id of the folder.

Then benchmark.

If it's too resource-dependent, you could include the permissions as part of the folder representation in your core database.

But get it working first, and then work out if the performance penalties are too high.

One thing to consider: Altering permissions is a rare operation, as is checking permissions for a group, whereas checking permissions for an individual user is incredibly common (every time a user accesses a folder). So the best way to write the algorithm is to bias speed towards checking the mapping from user/folder, and against privilege alteration.