I will second @sunnyson here, policies is what you use to provide server-side, pre-controller logic-based limitations.