Databases Reference
In-Depth Information
Determining whether an administrator has access to a resource
The query we've just looked at returned a list of employees and accounts an adminis‐
trator can manage. In a web application, each of these resources (employee, account) is
accessible through its own URI. Given a friendly URI (e.g.,
http://TeleGraph/accounts/
5436)
, what's to stop someone from hacking a URI and gaining illegal access to an
account?
What's needed is a query that will determine whether an administrator has access to a
specific resource. This is that query:
START
admin=
node
:administrator(name=
{adminName}
),
company=
node
:company(resourceName=
{resourceName}
)
MATCH
p=(admin)-[:MEMBER_OF]->()-[:ALLOWED_INHERIT]->()
<-[:CHILD_OF*0..3]-(company)
WHERE
NOT
((admin)-[:MEMBER_OF]->()-[:DENIED]->()
<-[:CHILD_OF*0..3]-(company))
RETURN
count
(p)
AS
accessCount
UNION
START
admin=
node
:administrator(name=
{adminName}
),
company=
node
:company(resourceName=
{resourceName}
)
MATCH
p=(admin)-[:MEMBER_OF]->()-[:ALLOWED_DO_NOT_INHERIT]->(company)
RETURN
count
(p)
AS
accessCount
This query works by determining whether an administrator has access to the company
to which an employee or an account belongs. How do we identify the company to which
an employee or account belongs? Through clever use of indexes.
In the TeleGraph data model, companies are indexed both by their name, and by the
names of their employees and employee accounts. Given a company name, employee
name, or account name, we can, therefore, look up the relevant company node in the
company index.
With that bit of insight, we can see that this resource authorization check is similar to
the query for finding all companies, employees, and accounts—only with several small
differences:
•
company
is bound in the
START
clause, not the
MATCH
clause. Using the indexing
strategy described earlier, we look up the node representing the relevant company
based on the name of the resource to be authorized—whether employee or account.
• We don't match any further than company. Because
company
has already been bound
based on an employee or account name, there's no need to drill further into the
graph to match that employee or account.
• The
RETURN
clauses for the queries before and after the
UNION
operator return a
count of the number of matches. For an administrator to have access to a resource,
one or both of these
accessCount
values must be greater than 0.