Tips for writing security classes for user authentication and authorisation

I have a bunch of objects in my application (Organisations, Individuals, Orders, etC) and I need a nice clean way to decide which users can and can't view/edit these objects. User have a range of permissions such as 'Can edit own contacts' and 'Can view team's contacts' and can also be members of groups such as 'Account Manager' so various things need to be checked (Is this user an account manager? Is this contact managed by this users team? Can this user edit his teams contacts?) before it can be decided if they have access to the object.

Previously most of the logic was inline but as it becomes more complex I've decided that it's best to move it out to new classes such as OrganisationSecurity, OrderSecurity, etc and creating methods such as CanEdit on them.

Is this the correct way to go? Any gotchas I should be careful of? How do you handle this?



Check out Security Patterns, especially in the areas about authentication and authorization.

Need Your Help

Find common columns between two users or null/zero if there is none

php mysql sql

How can I find common columns between 2 users but returning a zero result if there is none, that means returning a result even if there is no common columns.

getting past authentication with capybara in rails application

ruby-on-rails ruby devise capybara

I'm trying to use capybara on a ruby on rails application to do some content testing, as well I'm using the devise gem to implement user authentication. I'm having trouble logging into my applicati...

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.