I'm using the repository pattern to query our database using NHibernate. It makes it really easy to do things like:
public T GetById(int id) {...}
But that doesn't help much when someone start mucking with the querystrings to see things they aren't allowed to.
To compound it, some objects are deeply nested children of the parent object which the authorization should be performed on.
For instance blog --> author --> post --> comment. In this contrived example we'd like to give authors the ability to edit their own posts and comments on those posts, but not see or edit those of other authors. It's easy to check the post belongs to the author, it's a little more difficult to make sure the comment belongs to the author. We have some instances that go deeper.
So ... how do we do authorization (in the model or repository)?