In MVC, where is the correct place to put authorization code?

Question

In MVC, where is the correct place to put authorization code?
The controller?
The Model?
In the view?

All over the place?

Answer 1

I vote for putting it where it makes sense. Most of my authorization stuff is handled via decorating controller actions (or even some controllers) with the AuthorizeAttribute -- or an attribute derived from it. In a few cases -- like my menus -- I've resorted to putting the authorization check in the view code itself, rather than calculating it in each controller and passing flags down in ViewData. There are a few instances where certain aspects of the model are only available to particular roles and in those cases I've resorted to extending the model with methods that can take the current user and roles and do the check there.

Answer 2

I think authorization is a cross-cutting concern. Should be in one place - an aspect that can be declaratively applied where it's needed.