I have different types of user permissions on a site. Some users are
able to edit specific pages, some users have ‘editor’ rights, and some
have ‘admin’ rights.
I can render different views depending on the permissions the user has,
and restrict the ability to edit certain subsets of data through a form.
But how can I protect a user (who has permission to access the ‘edit’
action) from submitting a raw POST request to edit specific fields that
they don’t have permission to edit?