A client of mine has suggested to implement the security features for an web application, by assigning permissions for stored procedures in Sql Server 2008 database. So the users who should only view the data, should be given read permission on stored procedures, so if he tries to execute a SP which edits the data, would raise an error.
I strongly disagree with coding to invoke errors . Exceptions are expensive . What could go wrong with this approach ? When hundreds of users login and thousends of permission-errors are raised in the server , how much it would effect the performance of the web application ? Need some help to convince them.