Answer the question
In order to leave comments, you need to log in
CQRS and access restriction?
I am developing an application using the CQRS pattern. The application is a REST API.
Suppose there is an endpoint /cars/1/?fields=model, year, owner. Let's say the user doesn't have the right to get information about the owner of the machine. How and where is it better to check whether the user has access to the model field or even to the execution of the command/request?
Answer the question
In order to leave comments, you need to log in
Access rights to CQRS have nothing to do with it at all. It's kind of warm and soft. Somewhere at the application level, you should have a service responsible for distributing access rights. If the user wants to execute any command or request, you must first go to this service, find out if he can do it and only then send the command or execute the request to the unit, that's all.
Restricting access at the individual field level doesn't seem like a good idea to me. It’s more correct to either separate the owner data into a separate entity and restrict access to it, or enter different types of request: “with owner data” and “without owner data” and limit the ability to make specific requests.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question