Storing Loggedin User details from UI and use that in BL methods

I am working in a DocumentManagement System. The users defined in the database can create/manipulate his own documents based on their access rights defined. The owner of a document can let other user access/modify the document (stored as XML Contetnt). I need to autorize the LoggedIn User Whenever a document is opened for editing. The document has alredy a CreatedBy开发者_开发知识库,EditingUser properties.

There is chance that a document owned by User "A" can be edited by user "B" if he has the Write Access for that document. Now I need to check the authorization of the LoggedIn user for the document which is opened for editing (inside the Save() BL method of the DocumentManager object). Here I need to access the LoggedIn User details inside the BL method which is filled after Login process (which should not be changed after that).

My application is WPF application. So what is the best approach to handle the situation like this. I need to often check the rightst of the Loggedin user aganist the Document in my application (particularly inside the BL methods).

I would rather suggest a decouple mechanism to authorize users. So the actual application need not to worry about the authorization.

You can define the authorization logic a policy - XACML.

XACML is the de-facto standard for authorization.

Once you have the authorization logic defined in XACML PDP - before executing the user actions, your application will call the XACML PDP - and ask whether the logged in user is eligible to perform this action against the given resource.

Using XACML will give you flexibility to change the logic of authorization, with out even touching the application logic.

Also - you can define very fine-grained rules with XACML.

You need to take session approach. You need to maintain a static class as below. When ever user is logged in, you need to add them to the list on BLL

public static class Session{
     public static Dictionary<User, DateTime> loggedInUser;    
     public static Add(User user){
         loggedInUser.Add(user, DateTime.Now);
         // raise event user arrival
     }

     public static GetUser(int Id){
         // fetch user;
     }

     public static Remove(User user){
        loggedInUser.Removed(user);
        // raise event user left
     }

     // TODO: add timer to check itself. If not activity done in past n minutes, 
     //log him out
}