Tips for writing security classes for user authentication and authorisation
I have a bunch of objects in my application (Organisations, Individuals, Orders, etC) and I need a nice clean way to decide which users can and can't view/edit these objects. User have a range of permissions such as 'Can edit own contacts' and 'Can view team's contacts' and can also be members of groups such as 'Account Manager' so various things need to be checked (Is this user an account manager? Is this contact managed by this users team? Can this user edit his teams contacts?) before it can be decided if they have access to the object.
Previously most of the logic was inline but as it becomes more complex I've decided that it's best to move it out to new classes such as OrganisationSecurity, OrderSecurity, etc and creating methods such as CanEdit on them.
Is this the correct way to go? Any gotchas I should be careful of? How do you handle this?
Check out Security Patterns, especially in the areas about authentication and authorization.