Efficiency of using ACLs vs checking group memberships


I’m developing an extension which allows specific old tickets to be used as templates when creating new tickets. Each template ticket will be assigned a name and a description, along with a list of RT groups who are allowed to use that particular template.

When I did something similar in the past, I stored a list of group IDs along with each template, and when determining which templates to show a user, I would load all of them and see if the current user was a member of any of the listed groups. I used per-user caching so that it would only do this check every few minutes.

An alternative would be to use the ACL mechanism, where I have an RT class for a ticket template (inheriting from RT::Ticket and RT::Record), and grant a new right like “UseTemplate” on each template to the relevant groups, and then just use “CurrentUserHasRight()” method on each template.

The list-of-groups approach is slightly easier to code but feels clunky and inefficient to me - but I have no idea how it would compare to the ACL approach, which re-uses well-tested RT code but for all I know may have problems when used in this way.

Does anyone have any suggestions as to which way to go, or of another approach to the problem?

Edit: Later I realised there is a RT::User::OwnGroups() method, so the list-of-groups approach is not so bad since I just call that method once to get a list of group IDs the user is a member of, then include templates that match any of those - I don’t have to call RT::Group::HasMember() for every group.

Leaving this up in case anyone has strong feelings either way.