This has been discussed before and trashed as soon as a graph database is 
needed to store and retrieve efficiently data.
Of course, recursive queries are a no-go.
There's a reason why Active Directory through Kerberos sends out the 
flattened list of group membership when trying to authenticate.
And a reason why even with that trick it's fading away. We don't need to 
copy behaviour from a well known architecture which has already proven its 
limits. 
Checking membership recursively at login-time is FAR FAR FAR worse than 
just managing group membership on another layer, on top of RBAC which isn't 
limiting from the "turing" perspective. 

PS: web2py suffers of the n+1 query problem EVEN for not nested groups. I 
assume it was done to support noSQL database. I realized it reviewing the 
code in order to allow JWT authentication. IMHO the eventual "refactoring 
hours" spent on RBAC should be spent there instead of nested groups 
functionality 

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to