authorization build in model?

Read up on ActiveRecord with_scope - you might want to do something like this:

Patient.with_scope( :find=>{:conditions=>[''groups.user_id=?",User.current_user], :include=>[:groups]} ) do   Patient.find(:all, :conditions=><other conditions for patient go here>, ...) end

This is a really nicely structured way of separating the authorisation concern from the actual query.

Note that you could also include the user table: :include=>{:groups=>:user} and then use users.user_id in the condition.

Cheers, Max