Should authorization be part of the model or controller?

Question

I\'m writing a web application with some ACL requirements: a user can make changes to some items, some items may be editable by several users, administrator can edit anythin

Answer 1

Authorization should neither be part of controller or domain model.

Instead it should be in the service layer.

Controller should just act as dispatcher and delegate between HTTP and application service. It's the application service where the orchestration takes place. This is the best place for placing authorization.

Suppose user A is authorized to access data from domain X, but not authorized for even a read access for data from domain Y. If authorization is placed in the controller, then user A gets authorized in the controller X, and via the service calls can access data from domain Y, which is not what we expected.

Since domain models communicate with each other on service layer, hence it best to place the authorization on the same level.