Should authorization be part of the model or controller?

Question

I\'m writing a web application with some ACL requirements: a user can make changes to some items, some items may be editable by several users, administrator can edit anythin

Answer 1

In most cases, the security should be one (or more) layer above the Model. Security is a domain on it's own, restricting access to a lower level layer.

I don't think the security should be done at the controller level.

In my opinion, this should look like that:

View -> Controller -> Security -> Model

The security layer could be a façade or a proxy over the model, protecting access, but be transparent to the controller.

However, if the views are to be modified depending on the access rights of the user, some checks might have to happen at the controller level (like setting the value of a CanEdit boolean property on the ViewModel).