I am rebuilding one of my favorite intranet apps in Rails. I use a lot
of access control - not just on model-level, but down to specific fields
inside one model.
User A is allowed to modify the field “Meeting.modulex”, because he is
member of a certain group
User B is not allowed to modify the same field.
Three things sping into my mind at this:
a) The standard CRUD setup actually uses the view to dictate, which
fields, a user may edit (which of course could be compromised)
b) The model validation scheme only cares about filling the fields with
c) There is a convention saying that the controller should be “thin”,
and the model “fat”
I am very much in doubt, where i should place my Access control. On one
hand it is easier to put it into the controller, since it sometimes
spans multiple models. On the other hand, this isn’t very DRY.
I am interested in hearing how other users have tackled this problem.