Change Core Controller Behavior through Module

I’m developing a module that lets admins restrict what resources non-admin users see by grouping resources and users into associated teams. The main rationale is that team members would be able to have higher permissions, like edit and delete, against resources within their team without permitting them to use that privilege globally.

Once I got the teams set up and some test data loaded, my natural inclination was to add a check to any controllers that show or modify resources to make sure the current user and the requested resource share a common team before serving the content. Though, I wasn’t sure how to do this through a modular/add-on design strategy. For proof-of-concept, I redeclared a core controller factory (eg ItemController) in my module’s config to return a controller from within the module were I added the check, but that seems like a poor design for production.

I’m new to designing extensible applications, but it seems like the design pattern is attaching listeners to the EventManagers that listen for the named events triggered in the views? Can/should I use this strategy to overwrite variables served to the view, or to modify content within the view? For example, to replace the $items variable from the ItemController’s browse action with an $items variable that I populate and then introduce through an event listener?