Forum OpenACS Q&A: The query that knows no bounds, or maybe not?

From reading and rereading and rereading I gather that there are some questions of the permissions system that need to be carefully phrased.
The function simply queries acs_object_party_privilege_map, which is a humongous view that joins three flattened hierarchies: the context tree, the privilege hierarchy, the party composition (and membership) hierarchy. As such, it contains an extremely large number of rows. About the only kind of query you can run against it is the one performed by the acs_permission.permission_p function. Anything other than that would take forever to finish or would ultimately result in an Oracle error.
What's not clear to me, is if it's the question I ask that makes me a terrorist, or how I ask it. Is the article suggesting these problematic queries can be written differently (and scale) or that indeed there are some questions you shouldn't even try to ask of the permission system?

In particular, what's a nice efficent way to determine which parties p have the permission foo on object o?

Posted by Dave Bauer on

Unfortunately that document, in those regards is out of date. Don Baccus rewrote the permissions code and it is much more efficient now. The views are gone, replaced by actual tables maintained by triggers.

You can query the tables directly. I forget the actual table names, I'll check and post later with a real sample query.

Posted by Tom Jackson on

Jerry, you might look at my notes on the subject contained in a thread on relational segments. There is not a single table that contains all these rows, permission_p now uses a join of three tables. I think I was taking heavy medication for a back strain when I talked of the join as 'sublime'. Now I'm sobered up, but I still think it is sublime. This join pretty much explains permissions to me and how to grant and test them.