Search code examples
c#.netwinformspermissionsmvp

Permission based security model

In a windows forms payroll application employing MVP pattern (for a small scale client) I'm planing user permission handling as follows (permission based) as basically its implementation should be less complicated and straight forward.

NOTE : System could be simultaneously used by few users (maximum 3) and the database is at the server side.

This is my UserModel. Each user has a list of permissions given for them.

class User
{
    string UserID { get; set; }
    string Name { get; set; }
    string NIC {get;set;}
    string Designation { get; set; }
    string PassWord { get; set; }
    List <string> PermissionList = new List<string>();
    bool status { get; set; }
    DateTime EnteredDate { get; set; }
}

When user log in to the system it will keep the current user in memory.

For example in BankAccountDetailEntering view, I can control the permission to access command button as follows.

 public partial class BankAccountDetailEntering : Form
    {
        bool AccountEditable {get; set;}

        public BankAccountDetailEntering ()
        {
            InitializeComponent();
        }

        private void BankAccountDetailEntering_Load(object sender, EventArgs e)
        {
            cmdEditAccount.enabled = false;

            OnLoadForm (sender, e); // Event fires...

            If (AccountEditable )
            {
                cmdEditAccount.enabled=true;
            }
         }
    }

In this purpose my all relevant presenters (like BankAccountDetailPresenter) should aware of UserModel as well in addition to the corresponding business Model it is presenting to the View.

class BankAccountDetailPresenter
{    
    BankAccountDetailEntering _View;
    BankAccount _Model;
    User _UserModel;
    DataService _DataService;

    BankAccountDetailPresenter( BankAccountDetailEntering view, BankAccount model, User userModel, DataService dataService )
    {
        _View=view;
        _Model = model;
        _UserModel = userModel;
        _DataService = dataService;
        WireUpEvents();
    }

    private void WireUpEvents()
    {
        _View.OnLoadForm += new EventHandler(_View_OnLoadForm);
    }

    private void _View_OnLoadForm(Object sender, EventArgs e)
    {

        foreach(string s in _UserModel.PermissionList) 
        { 
            If( s =="CanEditAccount")
            {
                _View.AccountEditable =true;
                return;
            }
        }
    }

    public Show()
    {
        _View.ShowDialog();
    }
}

So I'm handling the user permissions in the presenter iterating through the list. Should this be performed in the Presenter or View? Any other more promising ways to do this?

Thanks.

Solution

  • "The presenter acts upon the model and the view. It retrieves data from repositories (the model), and formats it for display in the view." - MVP

    So the presenter formats the data, but for me it looks like presenter contains kind of business logic - it really checks if user can modify account. What if you forget this check in one of the forms? So it should be in the underlying layer (probably, service).