On Thu, Apr 03, 2003 at 12:52:10 -0500,
Tamir Halperin <tamir@brobus.net> wrote:
> I'd like to make a suggestion, Peter:
>
> You may very well find a way to contstrain inserts using pgsql according to your business rules, but I observe that
you'rebeginning to develop a dependency on the data layer for your business logic.
>
> The reason you may not want to rely on db componentry (rules, triggers, etc...) to implement this type of business
logicis because at some point in the future your business logic may change and then you're required to heavily modify
yourdatabase when it may not be a problem with the data.
On the other hand implementing security in the application doesn't work
if the application runs on the user's machine. For example Peoplesoft's
security for version 7.x is totally broken if you let people run two
tier (which you have to to let people do some things). The app eventually
connects to the data base with full update access to all tables and relies
on the user not tampering with the app.
If the app runs on a secure machine then implementing security on the
app server is reasonable (at least under some circumstances).
