Hi and thanks for your message.
Generally, when creating a more indepth product, I do the following approaches:
a) add an ACL with various permissions like read/create/update/delete on each object. Optionally an additional method will be attached to validate if the user can edit this object based on identifiers in the object.
b) check that ACL in a service class - and only service classes can modify, find, create or delete models (objects that were previously applied with ACL above).
c) and per page, I write a front controller method usually that reads in the action and validates that against the current user.
This makes it security in depth. First, we restrict access to the page. If that's forgotten or hacked around, there is an additional security check on the service/model level.
aaronsaray.com || <-- yeah... try it.