check permission before actions like "change", "create" or "delete" - the command could be arbitrarily injected into GET