We’re all familiar with MVC. Model, view, controller. What if it should actually be MSVC? Model, Security, View, Controller?
Here’s what I’m thinking: In traditional MVC, the question of where to put in security is vague. The worst security may be applied at the view layer, but anyone that knows how to hack around a web form can probably bypass it. Controller-based security would work better, but what if you have a complex security-permissions system? Adding it at the Model level probably doesn’t give you enough context to understand whether or grant the request or not.
So I’m thinking, insert a layer above the model, below the controller that’s “Security/Permissions”. The model would pass it’s data and requests to the security system, which if approved, would be passed to the model. If permission is not granted, the security layer can pass back various complaints to the controller which will then display those in the view.
I doubt I’ll have an opportunity to try writing a project using this idea anytime soon, but I wanted to get it down on “paper” while it was still fresh.
Michael Berding August 13th, 2014
Posted In: Uncategorized