We’re developing a client and server application for the library of the university. Beside all book managing and lending functions the application has to be able to manage users.
We decided on 3 different user types:
- Guests (may view basic information)
- Logged in users (access basic functions like book borrowing)
- Administrators (full access, including managing books and users)
This is my first bigger project and even though I read many Java lectures I cannot decide on a good way of modelling the following requirements *on the client side:
- The client application has to manage the current login. The current user may change their basic information.
- Administrators may change all information
Now my problem: Shall every User class have the getters and setters, even though the current user may only be a Guest? What shall happen in the case when a setXY() is called without the rights to change information? Where in the code shall the authorization happen? User class? Server-API class?
A example or a link to an existing model like this would be very helpful. Thanks in advance.
One approach would be to use inheritance, i.e. a base abstract User class and AnonymousUser, GuestUser and AdminUser. Each class extends the capabilities of its parent. That works in simple scenarios but it is not flexible and especially hard to extend afterwards.
A better solution would be to create a User class that implements all required functionality (~ AdminClass in former example) and wrap it in a proxy that is aware of the different user roles and may restrict access to single methods.
These checks should always take place at the server, as you can not prevent requests from malicious clients.