Handling arbitrary permissions the simpliest way
This topic is increasingly important as the stuff we put online can be accessed from different people. I’m putting raw thoughts there and 2 cents for the post of today.
How to store rights?
In short: use a bit for one right. The rights can often be grouped into one byte. Thus a user has rights on one document or file with 1 byte.
This is exactly how the right management works on GNU/Linux: Read, Write, Execute. These rights are set for the owner, the owner’s group and the remaining ones outside of the group (called other).
There are 3 chunks of 3 rights. Each right can be encoded as one bit. The owner can have the rights 111 (execute, write, read), the group 001 (read only) and the others 000.
So we know how to encode a serie of rights. Nice.
What rights can be used for a document?
Read can be used to read information on the document. Note this can differ from downloading the content of the document! This case can happen. Someone can access metadata without accessing the real content. Write can be used to change the document. Download can be a right, if a user is able to retrieve the document locally to do whatever he wants. Delete can have some cases, though the write rights can cover it.
Maybe I want to use groups too. Think organisations! For example each Figma canvas beholds to an organization. Each users of the organization have the same rights. It can be the files shared with my family group.
Multiple users with multiple documents
Alice, Bob and Mallory are three users. Alice beholds document A and B.
Let’s say our app allow for the following rights: read, download, edit and administrate (change rights). Read, Download, Edit, Administrate in that order. Why a user could edit something they can not read or download? That’s a good question!
While converting bits to our decimal base 10, it would mean:
- read: 1
- download: 2
- edit: 4
- administrate: 8 Each number represents a combination of rights:
- no rights is 0
- read and download is 3
- administrate and edit is 12
- all rights is 15
Alice has all the rights on her documents. Bob can edit A and read and administrate B. Mallory can download A and nothing with B.
A database table to handle such simple rights would look as follow:
| User | Document | Rights (4 bits used) |
|---|---|---|
| Alice | A | 00001111 |
| Alice | B | 00001111 |
| Bob | A | 00000100 |
| Bob | B | 00001001 |
| Mallory | A | 00000010 |
| Mallory | B | 00000000 |
Note there are 4 bits free for new rights. For N documents and M, there is also N*M records.
These rights can be operated using bit and mask operators. That’s a topic I can also explore to implement such a system.
Outro
That’s only scratching the surface.
A user can be registered in multiple organisations. A user can have “defaults” rights on all documents another user too.
The operation strategy is missing: how to implement the bit operations and how to set the rules for each bit? How to operate it in a desktop software or an HTTP API?
There are definitely possibilities to store the rights in a smarter way to avoid redundancy. I imagine a scale: you can read, then you can download, then you can edit, then you can administrate, so 1, 2, 3, 4. I don’t think much about it yet.