I can see a want for front-end or other systems' developers to want to know what permissions a user has. Right now, you'd need to either know that on the page you're requesting or create a page that will show you that.
Instead, under the user controller, create a route for permissions. Then you can request a list of permissions for the system to tell you if they have the permission or not. This would require another table that would define all of the permissions and what permission you must have to see if the person has it or not. Something like "permissions" with columns: permission, viewable_with. I guess you can extend that even further to allow permissions to be much more dynamic. You can add "help_text" and "editable_with." Though, that's not really point of this post.
Now that you have who can view each permission, you add a route like: ?u=23;perms=approve_posts,poll_view to check board permissions: ?u=23;board_perms=approve_posts:1,2,3,4
Return would be JSON
That would be a kind of external API, right?
So that another application can probe the system to understand if a certain user has a certain permission?
If I understand it correctly, in the current configuration of the permissions, another table wouldn't be really necessary, it would just be "enough" to grab the user's data and do an equivalent of allowedTo.
Am I wrong?
Eh, you would need the other table because you don't want to allow anyone to view what permissions someone has. Yeah, it would be more for an API, but I think it would be useful for Javascript scripts.