I have a business object that contains a collection of ACL items and I'm trying to decide whether to put the authorization code in the business object like this:
class Foo()
{
IEnumerable<Permission> Permissions { get; set; }
bool HasPermission(string username, FooOperation operation)
{
// check this Foo's Permissions collection and return the result
}
}
class FooHandler()
{
void SomeOperation(Foo foo)
{
if(foo.HasPermission(username, FooPermission.SomeOperation))
{
// do some operation
}
}
}
Or in the object handler like this:
class Foo()
{
IEnumerable<Permission> Permissions { get; set; }
}
class FooHandler()
{
void SomeOperation(Foo foo)
{
if(SecurityHandler.HasPermission(username, FooPermission.SomeOperation))
{
// do some operation
}
}
}
class SecurityHandler
{
HasPermission(Foo foo, string username, FooPermission operation)
{
// check foo's Permissions collection and return the result
}
}
What are the pros and cons of each approach? Keeping in mind that Permissions collection will be public in either scenario b/c I'm using Entity Framework in my data layer to persist the business objects directly (I'm willing to change this down the road if necessary).
Aucun commentaire:
Enregistrer un commentaire