we ensure that all permissions are checked via the after_action :verify_authorized in the base controller in policies edit is an alias for update. we prefer the use of 'update'