Skip to main content
Software Engineering

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

Required fields*

10
  • 1
    User identity is very often part of business logic. A customer should only be able to edit their own orders, not anyone elses. A user should see items in their "recommended" feed tailored to them, etc. Commented 2 days ago
  • 2
    id and role are not the same Commented 2 days ago
  • I'm just very suspicious of "we check access at the door so don't inside" as a security strategy. I'm also not convinced I understand "cross cutting concern" the way you do, because to me security as a cross cutting concern is a strike against your advice. Commented 2 days ago
  • Its about separating permissions and roles, rather than passing the roll into the logic you have permission, "see non-active" and assign it to the admin role. Commented 2 days ago
  • 4
    I think this answer is a good approach, but "naming things" becomes an issue. Instead of "show inactive inventory", I would prefer an endpoints split based on some root URL, like /inventory for customers, and /admin/inventory for admins. Honestly, though, roles bleed very easily into business logic, because user roles are often carved out of business requirements. I'm off on a tangent, and I admit that, but more and more I see "business rules" and "security" as the same thing. Commented 2 days ago