Thinking about authorisation ("we know who you are, we're trying to decide if you can do the thing you want to do").

We've got resources to protect - routes that should only work for, and parts of pages that should only display for authorised people.

We've got a list of users (two people is a list!). We can assign arbitrary properties to people including 'roles'. (Roles are magic strings)

I know I should think in terms of "0, 1, lots", but I'm pretty confident that it really is only ever going to me be and husband here, so having three sets of roles ("policies"), one for me, one for them, and one for everyone else shouldn't be real problem.

(I guess I can always just stick it in the database anyway).

New service idea, a POST endpoint that accepts and stores any data, but the path is a token (either a guid or a random word song) that's got various validity checks (can only be used n times, max (and min?) file size, expected content type, source ip, that kind of thing). File gets saved and only the logged in user who created the token can access it.

specific use case is too give Google somewhere to post the data from husbands food diary spreadsheet export, but might be useful to have laying about.

The post entry button is in the wrong place (should be much closer to the input form) and page width is broken again.