In MVC, where is the correct place to put authorization code?
The controller?
The Model?
In the view?
All over the place?
views:
218answers:
6
A:
If you have to choose between M, V or c, the C is the correct place. But, I recommend an architecture where your app is all contained in libraries and the UI is just a thin veneer. You end up calling down the stack from the Controller, but the code is not in the controller.
In MVC, the Model is just a model, or a "dumb data object", if you will. It is designed to hold state, and should not dictate behavior. The View is for the user to interact with and is also "dumb"; the view handles UI. The controller is where behavior sits, or is the entry point into behavior in the case where the app logic is in libraries. Make sense?
Gregory A Beamer
2009-03-11 15:09:57
Your definition of MVC is incorrect. The M in MVC is the most important part, it is not a dumb data object. Behavior should be in M, this is were your business logic is. Whether authorization is part of business logic is not clear to me.
Exception e
2010-05-07 22:00:26
A:
Model.
Controller is just for switching through different ways. View is just for... viewing.
So you should make all authorization codes in the Model layer. Ideally, everything will work just fine. If not, then the controller will take the user to the proper login box.
Seb
2009-03-11 15:10:28
+1
A:
We are using all three layers to authorize:
- the view shows the authorization dialog
- the model does the autorization (checks the login against ldap or a database)
- the controller is the "glue" between the other two layers
bernhardrusch
2009-03-11 15:11:37
You meant authenticating, I mean where to manage which actions a user can make, or not (not if the user is a legal one or not)
Itay Moav
2009-03-11 16:03:58
I think that it is unreasonable for you to expect people to spend more time answering your question than you spent writing it. If you think that the single word "authorization" makes that clear, try showing your question around to people unfamiliar with your project, and see what they think.
Craig Stuntz
2009-03-11 19:51:52
+1
A:
I vote for putting it where it makes sense. Most of my authorization stuff is handled via decorating controller actions (or even some controllers) with the AuthorizeAttribute -- or an attribute derived from it. In a few cases -- like my menus -- I've resorted to putting the authorization check in the view code itself, rather than calculating it in each controller and passing flags down in ViewData. There are a few instances where certain aspects of the model are only available to particular roles and in those cases I've resorted to extending the model with methods that can take the current user and roles and do the check there.
tvanfosson
2009-03-11 15:14:46
A:
I think authorization is a cross-cutting concern. Should be in one place - an aspect that can be declaratively applied where it's needed.
duffymo
2009-03-11 15:16:37
+1
A:
The Controller!
Your View should only handle user interface and display Your Model should represent the data in your system. Your Controller should handle the logic of how the system works.
Authorising a user involves taking the credentials provided from the View, checking them against some sort of authorisation list in the model and then performing a check.
This is done in the controller: Get user credentials from View if(compare with user list in model returns match) authorise users else refuse access
Craig Warren
2009-03-11 15:45:40