Actually, I don't mind to have this logic around. The one thing I dislike though, is that I have to duplicate the code into the view of my web application to hide unavailable functionality from the UI. I hoped that with permissions it could turn out to a *simple* check.
I understand wanting to avoid code duplication, but in my experience this is a common security paradigm. You check permissions in the view to make sure you don't show a user something they can't do. You then check the permission on the server in your business logic because you don't trust the view (what if they knew the URL that you hid in the view).
