Securing instances rather than types

[smithmx]

If I have a command to UpdateFoo, there might be two different levels of security. Do you have the role needed to execute instances of UpdateFoo (this is what we currently have.) However, we might also need to check are you allowed to update the particular instance of Foo that you are wanting to change. This isn't checking against the type of UpdateFoo but finding checking if you are allowed to update Foo with FooId.

We probably want some kind of instance securable to distinguish from the type securable / namespace securable. However, this also has an impact on our pipeline. With current securables being against the structure of the command / query, then we can perform it at the beginning of the pipeline. When we are looking at the content of the command, you will want to do it after the Input Validation and (probably) after the Business Validation. That is so you don't have to do any guard checks for an invalid command.

I'm not sure of the best way to do this with the fluent interface, since the rule will probably be specifically implemented for every type, so probably just expecting a predicate.

┆Issue is synchronized with this Asana task

[smithmx]

Related to #7

[smithmx]

We can work around this for the moment by putting the instance authorization logic into the business validator.