How to handle authorization in CQRS
In a CQRS architecture, at least as implemented by Vaughn Vernon in IDDD_Samples, the query services lives in the application layer. But then where and how should authorization be handled? For example, on Twitter a person can set their account so that the posts are only visible to people they've manually approved. So if someone outside of that circle encounters that person's posts (usually in replies), the content will be redacted and replaced with a message indicating that the post is not accessible. How'd you handle this in a CQRS architecture? Should you "lower" the query service into the domain and handle the authorization logic in a domain service (instead of the application service)? Because of the anemic nature of query models, I find it hard to solve problems that involves performing additional (non-mutating) business/domain logic on the query models.
In a CQRS architecture, at least as implemented by Vaughn Vernon in IDDD_Samples, the query services lives in the application layer. But then where and how should authorization be handled?
For example, on Twitter a person can set their account so that the posts are only visible to people they've manually approved. So if someone outside of that circle encounters that person's posts (usually in replies), the content will be redacted and replaced with a message indicating that the post is not accessible.
How'd you handle this in a CQRS architecture? Should you "lower" the query service into the domain and handle the authorization logic in a domain service (instead of the application service)?
Because of the anemic nature of query models, I find it hard to solve problems that involves performing additional (non-mutating) business/domain logic on the query models.
