design patterns - Where to apply domain level permissioning -


permissioning/authorization (not authentication) cross-cutting concern, think.

in onion architecture or hexagonal architecture, should permissioning performed? examples of permissioning required be:

  • filtering data returned front end (ui, api, or otherwise)
  • validating business operation can performed @ all

ideally, via single responsibility principle, code performs business operations , returns data shouldn't need aware of user's permissions @ all. implementations of functionality should know how perform business operations or query repository or domain service - that's it.

would wrapper/facade implementing same interface class performing business operation or returning data place put permissioning? or there better way?

also, if best practice permission activity, not role, still valid permissioning should performed service purpose return data?

one argue access checking should close code performs operation possible reduce chance can find side-channel bypasses access checking. said, if can use wrapper class such guarantee in production system access checking in place, think fine.

validating business operation can performed @ all

i find natural put access checks determine if operation can performed or not in wrapper. wrapper code typically simple glue understands arguments being passed protected function , converts form appropriate making authorization decisions.

filtering data returned front end (ui, api, or otherwise)

by assuming mean filtering rows out of query's response based on permissions of caller. example, if department manager makes query everyone's salary, manager returned salaries of people report him/her don't have permission access other people's salaries.

for type of filtering have never found way of implementing crosscutting concern. have either baked filtering business logic or fallen on model refuses allow query execute due lack of permission.

the problem i've faced that, enable filtering, security code must @ data returned , able associate permissions it. seems fair amount of work in simple case , downright hairy in complex case (imagine data set being returned join of several database operations).

that said, i'm not against content filtering. haven't seen solution it.


-

Comments

Post a Comment

Popular posts from this blog

facebook - android ACTION_SEND to share with specific application only -

in android application have 4 buttons facebook , viber , telegram , whatsapp , want share different content based on each button. for example if user clicks on viber button want user action_send share content viber only. i found this explains how facebook , twitter seems it's calling specific class name of application don't know applications wanna use except facebook. all android apps have unique id, first have check if these apps installed in user's device , can pass unique id via intent sharing. according below: unique ids different apps : viber : com.viber.voip telegram : org.telegram.messenger whatsapp : com.whatsapp check if these apps installed , if installed send messages through intent. private void sendmessage(context context,string message, string appids) { final boolean isappinstalled =isappavailable(context, appids); if (isappinstalled) { intent myintent = new intent(intent.action_send); myintent.settype("text/p...
Read more

python - Creating a new virtualenv gives a permissions error -

i'm getting following output when running virtualenv newvenv . traceback (most recent call last): file "/usr/local/bin/virtualenv", line 5, in <module> pkg_resources import load_entry_point file "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 2727, in <module> add_activation_listener(lambda dist: dist.activate()) file "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 700, in subscribe callback(dist) file "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 2727, in <lambda> add_activation_listener(lambda dist: dist.activate()) file "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 2227, in activate self.insert_on(path) file "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 2334, in insert_on self.check_version_conflict() file "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 2373, in check_version_conflict...
Read more

javascript - cocos2d-js draw circle not instantly -

i wondering how draw circles (or other shapes also) not instantly. so far tried drawcircle(args...) in ccdrawnode.js , drawcircle(args...) in cc.drawingprimitivecanvas class, , draw circles popping out instantly on screen. what if want achieve effect circular progressive bar, completes circle based on percentage of initialization? or more generally, if want draw circle respect prolonged period? thinking there drawcircle function elapsed time argument fail find any. or have implement own? thanks suggestions, far out of ideas. i think have implement own. think can achieve update circle drawing on each time update() function called.
Read more