Best way to design application

I have an application with multiple users with different roles. Each users access to a resource is limited by the role he has.

Now if I am building an application to manage these resources how should I structure my application.

roles : admin, moderator, author resources: articles

I see two options.

1: Create separate modules for each role with give access to resources for the role eg: admin/ -add/edit/delete article -add/edit/delete user author/ -add/edit/delete own articles moderator/ -edit articles

2: Create separate modules for each resource and give access to them based on the role of the user accessing them. eg:

articles/ add/edit/delete [manage operations depending on the user's role ]

The language is PHP and I will be using Zend framework. My issue is not about access permissions since Zend's ACL component takes care of it. My issue is with organization of the application.

For example if a new user is int开发者_StackOverflow社区roduced, in the first case I will have to create a new module. But in the case of the second method, I will have to update each and every module.

It is obvious that first approach will involve more files and less complex logic second approach will need more complex logic but I am simply not sure of which one to follow and looking for advice. Any help is appreciated.

Thanks.

I think general approach would be to keep access logic with accessed resource, not with accessing one.

In your example it would mean that if article wants to be edited only by specified users, then it's article's business to check who edits it.

All of the logic would be something like:

if user is article.owner or admin
    ...make things happen

and if you ever want to add new user role or change behavior of existing ones, you only need to edit this one condition rather than create another pretty-much-the-same-yet-a-bit-different user module.

It really depends on which language/platform you are building everything in. Most platforms already have built in support for security.

This answer is for .NET.

Do nothing special. Use the built in security model (CAS = Code Access Security).

You can limit the access to methods by using certain attributes. If you are building a MVC app you can use the [Authorize] attribute, while in regular apps you can use [PrinicpalPermission].

To get it working you need to assign a principal to all running threads (System.Threading.Thread.CurrentPrincipal = new MyPrincipal(myUserInfo)).

ASP.NET does this automatically, and other applications use the current logged in (windows)user as default.