11807 shaares
366 private links
366 private links
The permission system should handle folders and files.
Strategies:
- (naive) read-time permission queries
- A simple table (RBAC role based access control).
-- RBAC: Pre-computed permissions
-- access_type: 'owner' (full control), 'shared' (read only), 'path_only' (visible but no access)
CREATE TABLE permissions (
user_id INTEGER NOT NULL,
resource_id INTEGER NOT NULL,
access_type TEXT NOT NULL,
PRIMARY KEY (user_id, resource_id),
FOREIGN KEY (user_id) REFERENCES users(id),
FOREIGN KEY (resource_id) REFERENCES resources(id)
);- Attribute-Based Access Control
This approach is very clear and composable. It works great for single-resource access checks: "can user X access resource Y?" It struggles when listing resources, as we would need to execute the policies for each resource and can't directly query the resources table with simple filters.
- Zanzibar and ReBAC
