Announcement Announcement Module
No announcement yet.
Batch update for domain objects -- is it possible? Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Batch update for domain objects -- is it possible?

    We need to be able to update a series of objects (SQL records)
    in one (or few) single call (or in one or few equivalent operations using
    database layers like Hibernate or other java code).

    Without Acegi this would look like this (pseudo SQL here):
    SET FIELD_NAME = FIELD_NAME + SomeOtherValueToAdd
    WHERE OWNERID = SomeGivenOwnerId

    (Using things like Hibernate means executing some sort of HQL
    or some java method or whatever.)

    Q: How do we restrict access to those objects that are not updateable
    by current user/role? (using ACL permissions)

    It is OK to call a few SQLs or java methods, but what we do not quite
    anticipate is having to call a great number of SQL/java calls to find out
    permissions for every single object in the database (table)
    especially if we use permissions inheritance
    (object inherits permissions from its parents objects using ACL inheritance
    approach) and then update every single object one-by-one.

    I understand we have an option to join ACL tables with domain object table
    thus having natural SQL-based filter.
    But we really want to have parent-child inheritance using ACL permissions.


  • #2
    I am not sure how we could really accomodate this. If you would like ACL permissions to remain in a parent-child ACL table, it's going to be hard querying that for permissions during bulk SQL UPDATE statements.

    I'd try to find another way. Some options include:

    - Limiting the update to command to only being callable by an administrator role, thus implying permission to change all objects.

    - Using stored procedures and triggers on the ACL table to maintain an 'effective ACL' table. I actually did this for a content management system once and it worked well. But you'll need lots of SQL. The advantage is you can use subselects in other SQL queries to retrieve effective ACLs for each record in real time. I would be careful to ensure it scales adequately though, as it would be a problem if you were doing very large numbers of operations.

    - Use the fact the ACL information can be placed inside the domain object itself. So if say your domain object had a single "owner" column, use the BasicAclProvider.restrictSupportToClass property. This will allow you to have a separate provider-DAO setup for your doman object from the general-purpose ACL provider. See

    - Don't use ACLs

    - Don't use bulk updates

    Good luck!