I've been doing a lot of tutorials for different MVC frameworks, and it seems very typical for Authorization to take place in the Controller. Why?
My thought is the Controller should only be used to orchestrate Model actions, to handle redirection and to handle error events. These are the things that are dependent on the specific request. Putting Authorization in the Controller seems like you're going to have to duplicate the authorization whenever you're using the same Model action in different Controller actions or different Controllers. If Auth is in the Model, you have consistent requirements for carrying out an action or state change on the data.
I've been googling and looking at other questions such as Should authorization be part of the model or controller? but I don't really see why it's the accepted convention.
Is there a specific reason I'm missing for putting Authorization in the controller over the model?
To sum up points in the comments:
- Controllers are responsible for altering the state of the model layer and the current view. Nothing else.
- Authorization belongs where an action is being carried out, if you're following a strict MVC pattern this would most likely be the model, and a Controller is certainly not responsible for authorizing the use of model actions.
- Cookies should be treated like any other datastore: abstracted and used within the models, not directly by controllers.
- Authentication and Authorization are separate issues, though they both usually go in the model layer, because they usually involve checks against values in datastores (such as cookies).