realized that the index route for nested resources was showing all resources, instead of those scoped to parent resource -- fixed that on all relevant controllers.
added one test each for controllers that had none.
commented out the authorization pipeline for now -- will handle that when we circle back to auth for jingle + adflow
29, plus: