Should authorization be part of the model or controller?

Question

I\'m writing a web application with some ACL requirements: a user can make changes to some items, some items may be editable by several users, administrator can edit anythin

Answer 1

From my personal experience with MVC frameworks I would say:

1. Model is an object that is representing database table it should be pure and should not contain any additional logic.

2. Controller is the place where are made the decisions and other custom logic, so the authorization should be in the controller. It could be designed some hook that can check if the user is authorized or not in all needed places so you wont have a code repetition DRY.

3. The best way to give permission to user if you are using a typical REST architecture is to make a token , save it in the databse and on client side and verify this token on every request. If you are using web browser app you can use server-side sessions for authorization ( Its much more easier).

So my propose is to keep the authorization logic in the Controller.