Better approach to restricting users access to managed controllers?

[eluser]CroNiX[/eluser]
I take a similar approach but issue a 404 instead of redirect. If they don't have proper permission, the page doesn't exist for them.

I store the controllers that users have access to in the users table, which all gets loaded into session upon successful login. Then, in MY_Controller (so I only have to do this in one place), it checks the (routed) request to see what controller is being called and compares that to the allowed controllers in the users session data. If allowed access to the requested controller, continue. If not, issue a 404.