This may be a philosophical question, but I thought I'd ask it here since I'm suffering from a bit of analysis paralysis.
I'm currently working on a browser based game (Client-side HTML/Javascript, and WCF Web Services to reach the backend) and I'm trying very hard to have a nice, rich Domain Model.
So here's my question. I have a class called Squadron
public class Squadron
{
public string SquadName { get; set; }
public User Owner { get; set; }
public int XPosition { get; set; }
public int YPosition { get; set; }
public int XTarget { get; set; }
public int YTarget { get; set; }
}
The Squadron is owned by a User
public class User
{
public string Username { get; set; }
public string Password { get; set; }
public string Email { get; set; }
public int UserID { get; set; }
public List<string> Roles { get; set; }
}
I also have a Squadron repository that returns a fully populated Squadron object, based on it's ID. I have a webservice (basically, GetSquadron) that should return the Squadron. However, the attached User object has some information that I probably don't want exposed to any client (Password, as an obvious example). Although it seems that Password should be a part of this Domain object...it doesn't seem like something I always want populated.
I've considered adding another layer of logic (after the Domain object has been populated) that will ensure that the calling user has access to certain fields, but I was wondering what best practices I can find in the community. I tried Googling but I haven't had much luck.
Thanks!
EDIT: Before anyone harps on it, the password is hashed. I never store a clear-text password in the database. I just figured that I probably shouldn't be returning the password, encrypted or not.
EDIT 2 (Phillip): I've populated the User object because I do need a couple of those fields down in the client side (Username and UserID, and possibly Email). Maybe creating some DTO's is the answer to the problem. I guess I thought it'd be nice to have a common model across all layers.