ACL

We currently have a gate for specifying which users can view the admin panel, but we also need more granular ACL logic for specifying which actions can be used on which resources by which users.

When a user can't e.g. edit a resource, he shouldn't be shown the button either.