This could be done by checking the top level and the current level first because its likely that those are where the perms are coming from.
Eval if permitted after each lookup to see if the user is now permitted for the action.
The bit comparison is infinetly cheaper than lookups.
This is possible because only "additive" permissions are supported.
Another possible solution could be to "bake" the permission and only look them up once which could very well work but even more work i guess. (maybe even not because you can just rebake them on change completly because it doesnt occur often so you dont need to patch it technically)
This could be done by checking the top level and the current level first because its likely that those are where the perms are coming from.
Eval if permitted after each lookup to see if the user is now permitted for the action.
The bit comparison is infinetly cheaper than lookups.
This is possible because only "additive" permissions are supported.
Another possible solution could be to "bake" the permission and only look them up once which could very well work but even more work i guess. (maybe even not because you can just rebake them on change completly because it doesnt occur often so you dont need to patch it technically)