Some of the access control should be granular down to per-user level

[vedxyz]

Currently, many of the controller methods do not check for access control beyond a user belonging to a role.
For example, this means that any doctor may be able to take actions on cases that they aren't assigned to.

There are currently two service methods implemented at a basic level to achieve some granularity. These are only used in a few places across the controllers.