> A user can only see the salaries of all his direct reports.
With an employee-salary table, that's a fairly simple row-level security rule.
> Again, there's a reason why almost every web app built in the last twenty years just used user/pass credentials and didn't implement db security beyond that: expressiveness.
I agree that there is a reason, but that's not it; there is a combination of the lack of features in popular (particularly free) databases in the early part of the period (heck, MySQL/MariaDB still doesn't support row-level security), inertia, and lack of database knowledge among web app developers.
> But I'm not gonna change your mind on it today. Just think about it for a while.
This is not a new issue for me; I have been thinking about it for quite a long while.
With an employee-salary table, that's a fairly simple row-level security rule.
> Again, there's a reason why almost every web app built in the last twenty years just used user/pass credentials and didn't implement db security beyond that: expressiveness.
I agree that there is a reason, but that's not it; there is a combination of the lack of features in popular (particularly free) databases in the early part of the period (heck, MySQL/MariaDB still doesn't support row-level security), inertia, and lack of database knowledge among web app developers.
> But I'm not gonna change your mind on it today. Just think about it for a while.
This is not a new issue for me; I have been thinking about it for quite a long while.