Policy Scopes and Preconditions
In addition to allowing or restricting access to a complete operation, you may wish to only restrict the scope of the operation. For example instead of listing all users on the index page, only list the current user.
authorization
Authorization
Currently any logged in user can add new users and edit existing users. We want to add more finely detailed restrictions. For example we want to restrict non-Admins from editing any user but themselves, nor adding any new accounts. Also we want to restrict non-Admins from changing their role from User to Admin.
Application Setup
The first thing you will need to do is set up your database and basic application, then get your application to communicate with the database.