Structuring a file system for permissions
Hello, I have an application with many modules like Course, jobs etc, and each one has files. I have a table that holds the "metadata" of a file like if it belongs to a course, a job or job application etc, and I have to check if the one accessing the CV for example is HR or the user that applied. Right now the table FileMetadata has a lot of relations (to every other resource that I have, like course(videos/photos), job application, job (photos in it), etc). Is this the right approach? I need pretty granular permissions, because an user can't access the files from a course/section he is not enrolled for example. This really bugs me because it seems there could be a better aproach but I don't see one.
So Filemetadata is really the key from AWS, the name and a lot of forignkeys from different tables
This would be an idea of the file metadata:
model FileMetadata {
id String @id @unique
originalName String?
course Course? @relation(fields: [courseId], references: [id], onDelete: Cascade)
courseId String? @db.Uuid
content Content? @relation(fields: [contentId], references: [id], onDelete: Cascade)
contentId String? @unique @db.Uuid
job Job? @relation(fields: [jobId], references: [id], onDelete: Cascade)
jobId String? @db.Uuid
jobApplicationCV JobApplication? @relation("cvFile")
jobApplicationLetter JobApplication? @relation("letterFile")
createdAt DateTime @default(now())
public Boolean @default(false)
JobContent JobContent? @relation("imageFile")
StudentAssigment StudentAssigment[]
}
For example when an user makes a request with the id, I would then go check depedning on the route(course, job) if he is part of the course, or job or has access to jobcontent or cv (depedning if it's null or not) etc.
What do you think, another option would be to keep it directly in the course or whatever using a JSON, but then the search would be done harder.
Thanks!
3 Replies
You selected the carefully hand-crafted route. A dev artisan will respond soon. Meanwhile, the
#ask-ai channel awaits if you're curious!Your current solution seems like a good solution to me.
You could store file references in a JSON field on the parent resource (e.g, Course.files: Json). However, this makes querying and searching for files much harder and less efficient, and you lose relational integrity, so I won't recommend it.
For your need to restrict access, you will need to implement these checks in your application logic.
Thanks for the support, I am trying now to break it down though into modules, so the filemetadata is not that big.
I was initially storing the data in a JSON file but like you said it seemed to be a hard scalable solution