CRUD or not CRUD, I am so lost !

No, it’s fine for your public controllers to not scaffold, you need to ensure the right user is performing them etc…

I found reading the source of Mephisto blog helped me a lot
http://mephistoblog.com/