Permissioning/Authorization (not Authentication) is a cross-cutting concern, I think.
In an Onion Architecture or Hexagonal Architecture, where should permissioning be performed? Examples of permissioning required would be:
- Filtering data returned to the front end (UI, API, or otherwise)
- Validating that a business operation can be performed at all
Ideally, via the Single Responsibility Principle, the code that performs the business operations and returns data shouldn't need to be aware of a user's permissions at all. The implementations of that functionality should know how to perform business operations or query a repository or domain service - that's it.
Would a wrapper/facade implementing the same interface as the class performing the business operation or returning the data be the place to put this permissioning? Or is there a better way?
Also, if the best practice is to permission by activity, not by role, is it still valid to say permissioning should be performed by a service whose purpose is simply to return data?