An MVC Framework
The Model Class
At present the Model class doesn't have much in the way of access control.
It is envisioned to have a full RBAC one day. Which is why it has a User object. Even if the user is anonymous.
But, the Model class does have the basic hooks for adding access control. It has CanCreate(), CanModify(), CanDelete() and CanQuery() functions that all take a user id as a parameter. Currently, these functions are used more for business logic but, they were envisioned for both. So in an actual application CanModify() will not only check that the data object (e.g. Sales Order) can be modified (i.e. not Closed, still Open) as well as the logged in user has permission to modify it.
Until this feature is developed further, you'll need to add more of your own logic.
|Persistence||An MVC Framework||Additional Notes|