Hello,
I'm working on a collaboration project. I have an aggregate root called "Project".
Users can create,edit,delete,view on Project if has access to "Project" Aggregate.
Our security context is complicated. We are a permission lookup depend of created "Project" properties and user level/locality (ProjectType, Project Depended Project, Project Blocked Users, Project Users, Restricted Project, Everyting Accessible)
There are 20+ rules like this:
Example:
- If ProjectType == "Hierarchical",when a user added to "Project" followers list, this user and its managers (managers of managers) can access to this project with own permissions
(permissions dynamically set to user according to properties of "Project" and user access level (manager or itself, follower type))
- If ProjectType == "TeamBased", all "Project" users can access to this project with own permissions
(permissions dynamically set to user according to properties of "Project" and user access level (manager or itself))
...
I'm using AuthorizationCommandHandlerDecorator check permissions for command now.
public void Handle(CreateProjectEntityCommand command){
var project = _projectRepository.Get(command.ProjectId);
if(_securityService.HasAccess(project, "CreateProjectEntity", CurrentUser))
throw new Exception("no access");
project.CreateProjectEntity(command.EntityName);
}
In permission creation, raised event from "Project" AR and create new resource for user
// Project AR
public void CreateProjectEntity(string entityName) {
DomainEvents.Raise(new ProjectEntityCreated(this));
}
public void Handle(ProjectEntityCreated ev) {
var project = _projectRepository.Get(ev.ProjectId);
var owners = _userRepository.GetAll(ev.Owners);
var followers = _userRepository.GetAll(ev.Followers);
var authors = _userRepository.GetAll(ev.Authors);
var user = _securityService.GetCurrentUser;
if(project.Type=="Hierarchical") {
var ownerPermissions = _securityRuleLookup.GetRolePermissions("Entity Of Project","Owner");
var ownerManagersPermissions = _securityRuleLookup.GetRolePermissions("Entity Of Project","Owner Managers Level 1");
var ownerTLevelManagersPermissions = _securityRuleLookup.GetRolePermissions("Entity Of Project","Owner Managers Level > 1");
_securityService.AddPermissions(owners,ownerPermissions,ev.ProjectId);
_securityService.AddPermissions(GetManagersOfUsers(owners),ownerManagersPermissions,ev.ProjectId);
_securityService.AddPermissions(GetTLevelManagersOfUsers(owners),ownerTLevelManagersPermissions,ev.ProjectId);
// ... same process for followers, authors, complex rules for user and managers
}
}
Authorization/Security shouldn't part of domain in my read and research. But our security has business rules and I should implement security context in domain. Am I wrong?
Regards,