Mvc Design Question: Verify Current User On Update/delete

Where it is best to keep code, that verifies, that user model’s being changed or deleted is not belonging to currently logged in user (don’t allow current user to delete himself or manipulate own entry in users table)?

Normally, I would put that as another model’s validator. But validators are not executed (AFAIK) when model is deleted.

I don’t want to double code. What is the best approach to avoid that in such situation? Should I put it as validator and manually call it when deleting user (or force model validation before any user deletion)? Or should I build external helper-like function, that would be called by both model’s validator (automatically, when updating user) and by me (manually, when deleting user)?

Wouldn’t a business rule work?

If the ID of the user to delete in the database is the same as the current user, return false.

Or just put the business rule as an If statement in your delete action. Throw a CHttpException with a 403 code if the user is trying to delete itself. This is what I did because I wasn’t sure on how to make my business rule work in the database. I should probably fix that…