## add
require insert via ACL
limit none

$acl->requireAllow('create');

## edit
require update via ACL
limit own or any via Model::requireAllow

Model::requireAllow('update', Model::get(array('item_id' => ID), 1));
…or…
Model::requireAllow('update', 'item_id' => ID);

## delete
require delete via ACL
limit own or any via Model::requireAllow

Model::requireAllow('delete', 'item_id' => ID);


## insert
require insert via ACL
limit?

$acl->requireAllow('create');
if (!$acl->check('update', 'any')) {
    if ($frm['account_id'] != $auth->get('account_id')) {
        $app->dieURL();
    }
}

Model::requireAllow('create', array(array('account_id' => getFormData('account_id'))));
Model::requireAllow('create', getFormData('account_id'));
…
Model::requireAllow('update', 'item_id' => ID);???

## update
require update via ACL
limit own or any via Model::requireAllow

Model::requireAllow('update', 'item_id' => ID);


## list
require list via ACL
limit own or any via SQL

$acl->requireAllow('read');
if (!$acl->check('read', 'any')) {
    $sql .= 'where account_id = ID';
}


## get
require?
limit?

---------------------------------------------------------------------

if limit = any
    no restriction
else if limit = own
    restrict to account_id

LIST: add filter to SQL
UPDATE/DELETE: bounce user if not in account

# Cases

1. action retrieves from db
    if limit, check object ownership
2. action modifies db
    if limit, check object ownership
3. action displays form/action item
    if limit, no object to check