search

jazzband / django-authority

A Django app that provides generic per-object-permissions for Django's auth app and helpers to create custom permission checks.
http://django-authority.readthedocs.org
BSD 3-Clause "New" or "Revised" License
292 stars 57 forks source link

Unique together constraints do nothing if user or group are blank. #16

Open jlward opened 10 years ago

jlward commented 10 years ago

http://stackoverflow.com/questions/3712222/does-mysql-ignore-null-values-on-unique-constraints

We should change the unique_together to:

        unique_together = (
            ("codename", "object_id", "content_type", "group"),
            ("codename", "object_id", "content_type", "user"),
        )
winhamwr commented 10 years ago

Note: This is only in MySQL, and doesn't affect users of a saner database like PostgreSQL.

Regardless, it's still probably better to split the index in to two. The current index would allow things like:

codename: foo approved: True object_id: 1 content_type: 1 group: 1 user: 2

codename: foo approved: False object_id: 1 content_type: 1 group: 2 user: 2

Also, I think the order should actually be:

unique_together = (
            ("codename", "content_type", "object_id", "group"),
            ("codename", "content_type", "object_id", "user"),
        )

That would allow an index hit for a query getting all of the users who have a permission on a certain type of Model. The trade-off would be an index mix for permissions for objects of any type with a given PK, but I can't see any realistic case where you'd need to run that query.