In this first step, we'll leave out as many extraneous parts as possible and focus on:
JSONB operations
CTE recursion with bailing on first match
We will leave out: passing in a sequence of principals, passing in a view, class-based ACLs, SQLAlchemy integration, anything related to performance, etc.
Get this repo and make the Sphinx HTML. Start with the ACLs section. Read it to make sure you agree with any decisions it makes. If not, change it in a PR.
Make a new directory based on the sample code in that section. Call it simple_filtering or something.
Write some SQLAlchemy-generated SQL (no hybrid methods or anything fancy) which extends your previous "parents" CTE to do the following:
For each Node...
Look at the JSONB acl column
For each ACE...
Do some primitive test ("is the third item equal to 'view' ?")
If it matches that test, bail out and return boolean True if the first item is 'Allow', or a boolean False if 'Deny'
If the primitive test fails, go to the next ACE
If no matching ACE, do the same on the parent
If no more parents and no matching ACE, return False
And the essential part....do this all in one executed SQL statement
In this first step, we'll leave out as many extraneous parts as possible and focus on:
We will leave out: passing in a sequence of principals, passing in a view, class-based ACLs, SQLAlchemy integration, anything related to performance, etc.