You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I realized that user is passed to implement access policy. As a fan of OPA I immediately wondered how an integration would be best devised.
Generically speaking an external agent only can ever interact with the domain through the application service layer.
The necessary metadata to decide upon an access policy:
Identifier of the actor
eventually an elevation token
an instance of the domain entity (to base decisions on domain values)
the command to be executed (probably the most important data point to make a policy decision)
Hence, I'm inclined to thing the policy could be well implemented at the application layer and the domain be freed of any policy decision. Although being part of the business logic, it will be flexibly implemented in the policy service (OPA) based on those data points.
I feel this mental model is advantageous, since the domain logic could be implemented free of any policy considerations.
// StartRecordingHandler knows how to start a recordingtypeStartRecordingHandlerstruct {
aggregate domain.RepositorycommMgr domain.CommManager// interfacepolicy app.Policy// policy interface implemented at the application, not the domain layer?
}
// Handle starts a recordingfunc (hStartRecordingHandler) Handle(ctx context.Context, livecallToStartRecordingFor uuid.UUID, userID uuid.UUID, elevationTokenstring) error {
err:=h.aggregate.Update(ctx, livecallToStartRecordingFor, func(l*livecall.Livecall) error {
ifok:=h.policy.Can(ctx, "StartRecording", userID, elevationToken, *l); !ok {
returnErrNotAuthorizedToStartRecording
}
iferr:=l.StartRecording(h.commMgr); err!=nil {
returnerr
}
returnnil
})
iferr!=nil {
returnErrUnableToStartRecording
}
returnnil
}
}
The text was updated successfully, but these errors were encountered:
While thinking about
wild-workouts-go-ddd-example/internal/trainings/domain/training/repository.go
Lines 16 to 27 in 186a2c4
I realized that
user
is passed to implement access policy. As a fan of OPA I immediately wondered how an integration would be best devised.I feel this mental model is advantageous, since the domain logic could be implemented free of any policy considerations.
The text was updated successfully, but these errors were encountered: