I am developing a CMS application using MVC 3 (RC2) and now I am at the crossroads. I cannot convince myself whether my proposed approach is suitable or not. I think this is because I know that I am trying to cut some corners, which will cost me heavily later in the line.
I will talk about my problem:
1) I have a resource (you can call it A), which should be editable.
2) I have a custom permission system that has 2 (out of many) permissions:
- Can edit own resource
- Can edit another resource
3) The creator of resource A can edit it if he has permission "Can Edit Own Resource".
4) An individual user can only edit A if they have the permission "Can Edit Other Resource"
Now that this requirement is described, let me tell you my approach:
1) I have a controller called ResourceController
2) I have an action called "Edit"
3) The action has an attribute on it: [CustomerAuthorize (Perm.CanEditOwnResource, Perm.CanEditOtherResource, Any = true)]
4) I have a class of service that takes care of domain verification.
Thus, the user receives a call to the action method if he has the permission "Can Edit Own Resource" or "Can Edit Other Resource".
How can I decide (and where should it be accepted) about whether the user has the correct permission or not (depending on whether they belong to the resource?) If it should be in the controller action in the resource services class, in a separate service class ?
Waiting to hear different opinions ...