restrict ID access
I have a similar issue on a site i am building for UK schools.
There need to be four levels of access (1. Corporate access which define schools, 2. schools that define teachers, 3. teachers that define pupils, 4. pupils)
It is important that pupils (who will try and break everything) only view their own content and that if someone deduces that if they manually enter a ID string to the end of the url that they will be denied access.