1

I’m starting to develop a ASP NET MVC 3 application and I have sought to follow some good DDD pratices. I have the following situation which would like an opinion. One of the System features is the creation of activities which one or more users of the system will participate, a meeting for example. Any user with a certain access profile can create new activities, perhaps only the user who create an activity can change her. The question is: What’s the correct place to insert this rule?

-> In every setter of “Activity” entity? Seems break the DRY.

-> In the repository at the moment of saving the changes? In this case , what would be the correct moment to pass the user permissions? One more parameter to this method? In the class constructor(In my model, the repositories are interfaces, if I adopt this option, the dependency would be explicit only in the infrastructure layer where the repositories are implemented?)

-> Controller? It seems to collaborate with an anemic model.

By the way, questions abound... What do you think about?

user1426557
  • 95
  • 3

1 Answers1

1

If you are using ASP.NET Membership you can take advantage of the Roles and Profile providers and use Authorize attributes to restrict access to the actual views where creation or editing occur. For example, the create action could be:

[Authorize(Roles="Activity Admin")]
public ActionResult CreateActivity()
{
    return View();
}

Where "Activity Admin" is your creator role. Then your edit could look something like this:

[Authorize(Roles="Activity Admin")]
public ActionResult EditActivity(int id)
{
    Activity activity = ActivityRepository.GetActivityByID(id);

    if (activity.CreatorID != CurrentUser.ID)
    {
        return RedirectToAction("Activities");
    }

    return View(activity);
}

That if statement does the check to make sure the current logged-in user was the user who actually created the activity. The CurrentUser.UserID can be replaced with whatever method you use to retrieve the current logged-in user's unique ID. I usually use the ProfileBase class to implement a class that allows me to track the current user's info. The link below to another SO question shows how you can do that.

How can i use Profilebase class?

Community
  • 1
  • 1
ryanulit
  • 4,983
  • 6
  • 42
  • 66