Backend

What are the best practices for implementing ACL (access control list)?

Hello!

A question about best practices for implementing ACLs.

For simplicity, I will describe a primitive hypothetical problem.

There is a certain resource, for example pictures. Pictures lie on the disk as files, and the names of the files and links to them are in the DBMS table. Well, even the size of the pictures, let's say.
There is a table of users in the same place in a DBMS.

To access images, a backend has been developed that accepts REST requests, "translates" them into SQL, receives a response from the database, and returns the result as JSON.

Suppose we need to restrict users' access to pictures so that users do not know anything about the presence of "foreign" pictures.

Also, let's say that there is a request `/images/list` without parameters, which returns all the pictures in the DBMS available to the user and displays the list as JSON.

Implementation:
Only an option comes to mind: a third table is created that lists all the images available to each specific user, then the user's query leads to a selection from the database with one or more queries of the desired image names and returns the list to the user. Well let's say ok.

What if the user should be able to access `*.png` but not `*.bmp`? Then it turns out that each request should result in receiving the entire list of files first, and then, a certain filtering algorithm should be applied to the resulting list (leave all `*.png` files in the response, delete `*.bmp` files from the response)? So what?
And if you need to show files up to a certain size, but not more? Another filtering algorithm?
Somehow it all turns out in the forehead ...

But what if there are 3, 5, 10, 100 resources? But what if the resources are hierarchical? For example, there are related tables of regions/provinces/cities and you need to set up complex access - a user can have access to several regions, to several regions in accessible regions, and to some cities in accessible regions. On the GUI, it is approximately clear how to depict this (in the form of a tree with checkboxes), but what about the implementation of this goodness? Should this be algorithmized in each specific case "on the forehead"? And if one more level of hierarchy is added? Expand response filtering algorithm?
What if each resource is a separate microservice? It turns out that you first need to collect all the answers and then filter?

Somehow it's all ... complicated ... If the system is complicated enough, then the ACL itself will be great ...

Actually, the question! Is there any beautiful solution for such tasks?

Who solved such problems? Give advice!