Use authorization (permissions) to determine who can or cannot do something.

Okay...thank you.

@xtopher If the models are shared then they’re the same application; they just have different types of users and entry points. That doesn’t warrant different applications.

I tend to like fat models, because I think that they're more than just data, they are "entities". So they perform actions as well. But I extract the code sometimes when it makes sense for me. So, like Povillas would say: it depends.

Thanks for the response.

Regarding PCI-DSS certification, you don't need it if you tokenize without touching card holder data. You need a very "soft" certification if just submit data via POST to the payment gateway.

Go with a single project.

@xtopher Depends if you want to build and maintain two separate applications in two separate repositories or not? Personally, I wouldn’t if the apps need to operate on the same database schema, use the same models, etc.

Thanks for replying. Yes, they share many models and the same database, but the admin also has some specific models for analytics and AML. It's not about what is convenient for me but about best practice.

I am working on a project that features a heavy (static assets) admin portal and a relatively lightweight customer portal. I started the project with both the admin and customer sides on the same repo.

I have a few concerns:

1. Will it be a concern for PCI-DSS certification?
2. Should I use two Vue entry points for improved asset bundling, or should I separate them into two repositories?

More Context:

1. I am the only developer working on the project for now (startup)
2. The App won't deal directly with Card Holder Data, as I intend to use payment switches like Paystack/PayPal for the card transactions.
3. I use Laravel/Vue/Inertia for development.

Any advice would really help clear some doubts.