Pull all authorization logic into the controller as well as access to models and use it in the web API.