I’ve faced this problem more than once, and I’d like to suggest a rephrase for the main question: Does authorization logic belong in the domain?
I don’t have a definitive answer to that question, and I’m not sure there is one. My two cents are more questions:
When we read business logic, is it important to always keep in mind who is authorized to do such and such actions? When we test business logic, is it too cumbersome to add authorization arrangements and asserts? When business logic changes, does authorization logic change with it? How about the opposite?
Depending on the answers to those questions (and I tend to believe they change from project to project), I follow one of the following approaches:
- Delegate authorization to a 3rd party library in the infrastructure layer.
- Create a Bound Context specifically for authorization inside my domain, used by Outer Usecases, Domain Services but not by Entities or Core Domain.
- Build authorization inside the domain itself.
I haven’t yet come to a conclusion about which is best, I reckon it depends on the project’s domain. I hope this helps you on your journey. :-)
Caio