tags:

views:

137

answers:

2
+1  Q: 

Object Model Authorization - OO Design Question

Background Each Project has one Account it is associated with. Each User can have permission to access zero to many Accounts. This in turn means that each User can only access a sub-set of Projects based on the User's Account permissions.

The User object is loaded up when the user signs in to the application, and Account permissions are loaded up at that point as well. That User object is stored in the application's cache. Projects are loaded on an as-needed basis.

Question What is the best way to enforce the Account limitations? We want it to be abstracted away from the actual presentation logic, but we don't think it's necessarily a good approach to put the authorization logic inside the Project object, because then it depends on the User object. What do you guys think?

Example: (aspx page code behind)

Project oProject = New Project(projectId); //Pass an Int32 here
if (oProject.Load()) //This operation needs to check user permissions somehow
{ /* Do stuff */ }
+1  A: 

Then abstract away the user object also. Turn user objects into a collection of permissions you can query using a standard interface from the projects.

DanDan  2009-08-05 15:18:00
So then would I pass the user object into the project object?
Brandon Montgomery  2009-08-05 15:23:28
Indirectly, via its interface. In this solution you won't be able to get around the fact that Projects and Users know about this interface, but the Project does not need to know if it is talking to a User or a TestHarness or etc.
DanDan  2009-08-05 15:28:57
+1  A: 

You could implement a class responsible for validating permissions against the project (i.e. do the permission check logic would live outside the project); e.g. In Java:

public interface EntitlementsManager {
   void checkProjectPermission(String userName, int projectId) throws SecurityException;
}

Then in your code you simply add calls to checkProjectPermission at the business layer before passing results back to your presentation layer. Granted this is a a fairly procedural (i.e. non-OO) approach but it's clear to follow as all your permission based logic is in one class. The exception based approach also means fewer if-then statements in your code.

Adamski  2009-08-05 15:30:18
What if there are multiple pages which load the project, and in one page the user should be authorized to load the project, but in another the user should NOT be authorized to load the project?
Brandon Montgomery  2009-08-05 19:55:54

related questions

How to keep track of the references to an object?
When should you use 'friend' in C++?
Overiding the equals method vs creating a new method
Making one interface overwrite a method it inherits from another interface in PHP
What are the correct stencils for object relational diagramming in visio?
Is Single Responsibility Principle a rule of OOP?
Expression Evaluation and Tree Walking using polymorphism? (ala Steve Yegge)
Access to global application settings
Inheritance and Polymorphism - Ease of use vs Purity
Do you name controls on forms using the same convention as a private variable?
How do you create a static class in C++?
How do you create objects in Perl?
Why all the Active Record hate?
When is OOP better suited for?
Accessing a CONST attribute of series of Classes
Multi-Paradigm Languages
Speed Comparisons - Procedural vs. OO in interpreted languages
pass by reference or pass by value?
How to Think in OO
Using object property as default for method property
Adding a Method to an Existing Object
Object Oriented vs Relational Databases
Class views in Django
C++: Should I use nested classes in this case?
How would you access Object properties from within an object method?