3 Replies Latest reply on Oct 2, 2009 1:15 PM by phantasmo

    General DB,Hibernate,JPA question - Stale permissions

    brandonsimpson
    brandonsimpson Oct 1, 2009 5:51 PM

      I've been thinking of scenarios that could be a possible problem for my app, and wondering if anyone has a solution. Here's the idea:


      1) On entering a page, some entity in the DB is consulted to make sure the user has the correct permission to view the page (and perform the operations on that page). Assume the user does have permission, so the page is displayed.
      2) The user thinks for a while (application transaction time) and maybe interacts with the screen a while. During this time, the user's permission changes in the DB.
      3) The user performs a submit to change some data on the page even though the permission has been removed.


      Using Hibernate, how can I verify they still have the permission to perform an insert/update/delete when I go to flush/persist the data. I figured I could refresh the permission data right before performing the final submit/update, but this doesn't seem very elegant or technically correct since there could still be some small window between the refresh and the final saving where permission could be removed. If I were to be hand-coding the SQL, I would probably normally include some sort of where clause that references the permission information, but I haven't seen any examples of doing this with Hibernate/JPA. Anyone ever dealt with this or have any ideas?

      • 199 Views
      • Tags:
        • 1. Re: General DB,Hibernate,JPA question - Stale permissions
          phantasmo
          phantasmo Oct 1, 2009 7:15 PM (in response to brandonsimpson)

          Why would the permissions change so often?



          If I were to be hand-coding the SQL, I would probably normally include some sort of where clause that references the permission information

          What prevents you from writing the equivalent query in JPQL or, if need be, in native SQL?

            • Actions
          • 2. Re: General DB,Hibernate,JPA question - Stale permissions
            brandonsimpson
            brandonsimpson Oct 1, 2009 8:38 PM (in response to brandonsimpson)

            Thanks, Bojan!


            I'd never seen any examples using a JPQL update. I suspected something like that must exist but didn't know exactly what I didn't know. ;)


            As far as permissions changing often...I have a few cases where it can happen and just want to be as correct as possible. Here's one example...I'm building a community-type website where users can send messages to each other. However, if someone is being a pain, they can be blocked by another user. Under those circumstances I don't want the blocked user to be able to contact the blocking user at all.


            BTW, do you know if there is any way to just add a WHERE clause onto the SQL Hibernate generates? In some cases I have really complex persistent object graphs and it could be a real pain to have to generate the proper JPQL. Thanks again for the input.

              • Actions
            • 3. Re: General DB,Hibernate,JPA question - Stale permissions
              phantasmo
              phantasmo Oct 2, 2009 1:15 PM (in response to brandonsimpson)
              As for JPQL updates, you should check this out:
              http://download.oracle.com/docs/cd/E12839_01/apirefs.1111/e13946/ejb3_langref.html#ejb3_langref_bulk_ops

              "do you know if there is any way to just add a WHERE clause onto the SQL Hibernate generates?"

              I don't think there is. It's either JPQL or native SQL. I doubt you can modify the query after it's generated.
                • Actions