I have an enterprise system that is represented by a domain model, part of the requirement that the system should limit access to some of the features based on privileges of the logged in user.
Should I put these privileges validation inside my domain model? but there will be a problem that it doesn't know which user is logged in, how should I pass it to it?
Or
Should I put privileges validation at the level of presentation in the web application itself?
Should I put these privileges validation inside my domain model?
No. You should divide the method on the domain model suitably to allow the granularity of control you require. Then limit access to those methods with standard role based authentication.
eg: (psudocode based on c# mvc)
public class OrderController : Controller
{
//this is for users
[Authorize(Role="User")]
public void DeleteMyOrder(string id)
{
orderService.DeleteMyOrder(id);
}
//this is for admins
[Authorize(Role="Admin")]
public void DeleteAnyOrder(string id)
{
orderService.DeleteAnyOrder(id)
}
}
