授权应该是模型还是控制器的一部分? [英] Should authorization be part of the model or controller?
问题描述
我正在编写一个具有一些 ACL 要求的 Web 应用程序:用户可以更改某些项目,某些项目可以由多个用户编辑,管理员可以编辑任何内容,经理可以编辑其组织内的所有内容等.
I'm writing a web application with some ACL requirements: a user can make changes to some items, some items may be editable by several users, administrator can edit anything and a manager can edit everything within her organization etc.
我正在使用 Play!框架,从 Secure 模块的外观来看,似乎将授权问题放在控制器中.但是,在我看来,授权问题是业务逻辑的一部分,因此应该在模型中.此外,我开始看到控制器中有重复的逻辑需要重构.
I'm using the Play! framework, and by the looks of the Secure module, it seems that the place to put authorization concerns is in the Controllers. However, it seems to me that the authorization issues are part of the business logic, and therefore should be in the model. Furthermore, I'm starting to see duplicated logic in the controllers that I need to refactor out.
另一方面,向模型添加授权意味着我必须通过某种方式从模型中获取当前用户,这似乎不正确.或者,我可以为每个模型方法添加一个current_user"参数,但这似乎更糟.
On the other hand, adding authorization to the model means that I'd have to have some way of getting the current user from within the model, which doesn't seem right. Alternatively, I could add a "current_user" parameter to every model method, but that seems even worse.
那么常见的做法是什么?我可以/应该将授权码放在模型中,还是保留在控制器中?
So what is the common practice? Can/should I put authorization code in the model, or keep it in the controller?
推荐答案
我认为这是一个灰色地带.有人可能会争辩说,用户访问是 HTTP 世界和面向对象世界之间映射的一部分.这就是控制器的用途(因此大量使用静态数据),转换传入的请求,准备处理域模型上的业务规则.
I think this is a grey area. One could argue that the user access is part of the mapping between the HTTP world and the Object-Oriented world. This is what the controller is intended for (hence the heavy use of statics), to transform the incoming request, ready to process the business rules on the domain model.
我建议控制器逻辑绝对是控制对模型访问的正确位置,特别是因为它主要在注释级别进行管理,并且身份验证被抽象为安全类.
I would suggest that the controller logic is absolutely the right place for controlling the access to the model, especially as this is managed largely at an annotation level, and the authentication is abstracted off to a Security class.
这篇关于授权应该是模型还是控制器的一部分?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
