This is really bugging me but no matter what I read, I cannot seem to understand how to solve this.
I understand that we can assign roles to users. These roles allow certain activities to be done (CRUD operations in controllers).
But how do we restrict what data this applies to? Where can these rules be written down easily so that my controllers don't become super messy?
A super basic example is:
Factory Managers can Update the information about their own Factory, but not those in other Factories. (But they can Read that data)
Of course this can be implemented easily in a NUMBER of ways, but I actually have more a more complex system(FactoryManagers, FactoryWorkers, SupplyManagers, SupplyWorkers), and need a very robust solution. Here are some ideas:
- In the repository, write separate querys which restrict the data first.
baseRead
baseEdit
baseUpdate
baseDelete
. These queries return lists of what can be done for a particular user. They are then combined with the ID specified by the user and will return nothing if it is not in the subset. - Write logic in the controllers to work it out, but this may end up with numerous calls to the database.
Thanks in advance.