Out of the box Jifty-based applications have an ACL system. The system automatically validates ACLs on Jifty::Record objects by calling the method current_user_can before any create, read, update, or delete operation. In all cases, the arguments passed to the CRUD operation are passed as extra arguments to current_user_can.

On create(), we reject the operation if current_user_can('create') returns FALSE.

On _value() or somefieldname, we reject the operation if current_user_can('read') returns false.

On _set() or set_somefieldname, we reject the operation if current_user_can('write') returns false.

On delete(), we reject the operation if current_user_can('delete') returns false.

Out of the box, current_user_can returns 1. When you want to actually check ACLs, you'll need to override current_user_can() in your Jifty::Record subclass.

It's likely that at some point, you'll decide you want to ask other questions on certain types of operation. Say, you only want to let administrators update the paid_account field. In that case, you'd override check_update_rights() to look for the admin right rather than the update right, if the FIELD is paid_account.