The root PageController component (in "_framework.PageController") has a "hasAccess" method that all other Page Controllers extend. This is the key to most security in Neptune. All pages call "hasAccess" (via "checkAccess") when they are loaded (more about Page Controller security).
The "hasAccess" method built into the Neptune "_framework.PageController" goes through the following steps:
First it checks if Neptune has a registered security component and the page is secured:
<cfif hasSecurityService() AND isSecuredPage()>
You could, of course, change how either of those methods work by adding your own versions to "_config.PageController".
The built-in "hasSecurityService" simply checks to see if Neptune has a security service registered. The "isSecuredPage" method returns the result of the "isSecuredPath" method of the security service (passing the CGI.SCRIPT_NAME value of the page). How the security service determines if the page needs to be secured is beyond the scope of Neptune's concern. The "Admins" program, for example, simply checks to see if the page is in the "admin" folder.
If Neptune has a security service and the page is one that should be checked for security, then the Page Controller will check if the page is within a secured program. If so, it will call the "checkUserAllowed" of the security service to see if the user has the appropriate permissions.
If Neptune has a security service and the page is one that should be checked for security and the user has access to the program, then the Page Controller will check if the page is associated with a component that has permissions. If so it will call "checkUserAllowed" for those permissions.
This works for all "-edit.cfm" and "-list.cfm" pages because the inherited Page Controller automatically find the component for that table and associates it with the Page Controller.
You can, of course, modify the "hasAccess" method to suit the needs of any given page.