tags:

views:

25

answers:

2
Q: 

Where should I filter records?

I'm designing a course management system which has different kinds of users, including sysadmin, branch manager and branch user. As you might expect, the sysadmin can manage all records, the branch manager can manage all records from its branch and the branch user can only manage its records.

My question is, where should this filtering be done? Should I do it at the DAL layer? Or just return all records from the DAL and then do the filtering at some other layer? I've been looking everywhere for best practices regarding authorization but I haven't found anything that explains this aspect clearly.

Thanks.

+2  A: 

In general, selection of database records, for whatever reason, should be done by the database --- that's it's job.

Further,

  • You don't want unnecessary records wasting bandwidth between your database server and client machine.
  • You don't want unnecessary records taking up memory on your client machine.
  • You don't want unauthorized records in memory on your client machine where they could be hacked.
James Curran  2010-08-06 19:22:47
A: 

The implementation-level answer to this question will depend heavily on your tools. Will this be .NET, Java, PHP, Python?

Your DAL should ONLY be concerned with returning and committing data to a data store. Filtering such as you describe is best handled in the middle-tier, with the business logic. Most queries will occur in the context of the logged-in user so that the appropriate data is returned, so keep this in mind as you design the system.

UPDATE:

Given .NET and NHibernate, NHibernate is your ORM/DAL. The DAL should ideally be a Repository implementation to allow you to get data in and out of your database.

Design a domain model to handle the relationships between User, Role, and Branch. Each entity has relationships to the other entities. The "records" for those branches must also be modeled as entities. Once your relationships are established in your model, you can design methods on each entity that retrieve related entities. You might consider this model to be a sort of ViewModel or Controller. Its job is to explicitly implement the relationship between the entities, creating an abstraction "above" the one provided by NHibernate.

Dave Swersky  2010-08-06 19:25:11
This is .NET using NHibernate for the DAL. What I don't know is if I should make the DAL aware of the user that is executing the queries.
jesusbolivar  2010-08-06 19:28:32
In general, the DAL should know nothing about the *nature* of the data, just how to get it in and out of the database. You should have a domain model atop the DAL that understands what a user is, and to which objects they should have access.
Dave Swersky  2010-08-06 19:30:15
How would you implement a method like GetRegistrationsForCourse? Where the records returned should be filtered according to the user that's calling it.
jesusbolivar  2010-08-06 19:38:42
See my update: the Course entity should have a Registrations collection. The Registration entity should have a Courses collection. You need one more level of abstraction around the one provided by NHibernate that you use throughout your application to interact with your entities.
Dave Swersky  2010-08-06 19:42:35

related questions

Should unauthorized actions in the UI be hidden, disabled, or result in an error?
Porting JDBCRealm from tomcat to OC4J
Any frameworks on Authentication & Authorization for Windows Form Application?
How to design database for authorization and authentication
ASP.NET MVC Authorization
Custom Rails authentication / authorization
How to handle authorization when using NHibernate in .NET
How to allow authorization to an rss feed using ASP.NET MVC?
Security integration with arcPlan Enterprise
Best way to implement fine-grained authorization for a web application?
Authentication system for ASP.NET web applications?
User Access Checking for Rights on Particular Database Objects or Records
Authorizing REST Requests
Why does AuthorizeAttribute redirect to the login page for authentication and authorization failures?
How do you restrict access to a certain user using ASP.NET MVC?
Scalable/Reusable Authorization Model
Forms Authentication Error in WCF
What are the best-practices around resource list authorization?
Can CLIENT-CERT auth-method be used with a JDBC realm within tomcat?
Non-interactive authentication/authorization for XML-RPC?
WCF Service authorization patterns
Managing large user databases for single-signon.
Best way to handle user account authentication and passwords
Best practise to authorize all users for just one page in asp.net
Why do I get the error "Unable to update the password" when calling AzMan?