I'm developing a document oriented application and need to manage user access to the documents. I have a module that handles user authentication, and another module that handles document CRUD operations on the data store. Once a user is authenticated I need to enforce what operations the user can and cannot perform to documents based upon the user's permissions. The best option I could think of to integrate these two pieces together would be to create another module that duplicates the data API but that also takes the authenticated user as a parameter. The module would delegate the authorization check to the auth module and delegate the document operation to the data access module. Something like:
-module(auth_data_access).
% User is authenticated (logged into the system)
% save_doc validates if user is allowed to save the given document and if so
% saves it returning ok, else returns {error, permission_denied}
save_doc(Doc, User) ->
case auth:save_allowed(Doc, User) of
ok ->
data_access:save_doc(Doc);
denied ->
{error, permission_denied}
end
end.
Is there a better way I can handle this?