Re: Security and performance

On Wed, May 02, 2001 at 05:59:37PM -0400, Joel Burton wrote:
>
> Instead of making a kajillion views, could you use a RULE that
> checks their identity against some field, and either does the right thing
> or does nothing, depending on this info?
>
> It would seem *MUCH* easier to maintain.

I considered it, but it could have a negative impact on performance.
Consider: the rule would recheck for each record.  The rule has to be
implemented in each table which the user accesses.

A view, in contrast, only checks the user once.  It pulls the data a
user needs to see (and only that data) together.

I may do this with a small set of randomly generated postgresql users
rather than having a one-to-one postgres-to-application mapping.  When
the application validates a user login I could have the database
create a new user (triggered by the application reading from or writing
to a special view) with a randomly generated name and create views for
that database user which could only see the data of the logged-in
application user.  It would take some careful coding but be more
manageable.

--
Bruce

I see a mouse.  Where?  There, on the stair.  And its clumsy wooden
footwear makes it easy to trap and kill.
        -- Harry Hill