Limiting access to records by user
I'm working on an application that needs different user roles for the backend. Does anyone have a tutorial or an example module that they'd be willing to share so that a noob like me can get some direction?
Basically, I have two user groups, admins and sales reps. Sales Reps will have access to Purchase Orders that their company has generated. There might be multiple users from the same company, so I'd like to restrict viewing and editing POs by company. I can accomplish this by adding a "company" field to the fuel_users table and my POs table, then extending the "list_items" method to restrict by the logged in users company. I can get around what I've done, by just typing "/fuel/sales_reps/pos/edit/record_id_to_edit" in the address bar. Which method can I extend to restrict editing records?
I realize that this should properly be a separate module, but I'm a little lost as to where to start. Do I need to create a new controller for this? Or should I use the fuel module's user model as an example? Any guidance is appreciated.
Thanks in advance.