Tutorial on authorisation

Hi there and thank you so much for posting such useful information.
I was wondering if you could have a tutorial on how to secure an app such as this one where users have accounts and post their own content. How do you make sure they can only access their own? when is it useful to use packages such as rules? How do you make sure sure static files served by Apache are only accessed by their owners?
Thanks for your consideration.