so would it be best to check the permission on each of the resources after getting the resources, instead of looking up all the resource IDs they have permission for first?