I've already separated the authentication bit out of my controllers, but I'm still forced to assign permissions and roles in my controller actions and service classes.
Lets say that a user is creating a blog entry or something like that and the system will assign the user a permission giving him the right to do what ever he (or she) wants with the entry. Today I'm doing this in the same controller action that's doing the crud operation. Are there any established best practices regarding how to create (and assign) permissions to users?
Bonus question: How do people do this in Grails?