Thanks Anthony, indeed I will have to evaluate the tradeoff of speed for complexity. I don't think that our site will have the amount of traffic that this would be a problem but its always good to know good practices! A friend suggested to use
db((db.task.id == 5) & (db.task.ref_to_job == db.job.id) & (db.job.ref_to_project == db.project.id) & (db.project.owner == auth.user_id)) I tried it and it works, but I am not sure how different it is from the one Leonel suggested. How does this work? Also, you mentioned to check the timing of the query. Is there a web2py way to do that? Thank you On Monday, September 8, 2014 3:31:54 PM UTC+3, Anthony wrote: > > On Monday, September 8, 2014 4:47:57 AM UTC-4, Leonel Câmara wrote: >> >> Frankly, I would just store the user as the owner in all of those tables. >> Probably using auth.signature(). >> >> You could do a very inefficient recursive select but I don't see any >> advantage. >> >> Something like: >> >> task = db.tasks[5] >> >> if task.job.project.owner != auth.user_id: # You are doing a select for >> each dot you see here: >> raise HTTP(403) # Forbidden >> > > Before you go storing the user id in every table, you should check the > timing on the above query, and make the decision based on expected app > usage. While the above isn't the most efficient, if will probably be only a > few milliseconds, and if this app doesn't have heavy traffic or this > operation isn't very frequent, the inefficiency may be fine. You could also > see if it's faster to do a single multi table join rather than the > recursive select shown above (though the above is easier to write and > understand, so may not be worth making the change anyway). > > Anthony > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
