Complex relationships

Currently, I have 3 models
User
Group
Permission

Users and Groups have a HABTM relationship and Groups and Permissions
have a HABTM relationship.

For purposes of authorization, I need to know if a user belongs to a
particular group that has a particlar permission to determine if they
can perform an operation.

What's the best way to go about this?

Have the user ask its groups if any of them have the permission in question:

target_permission = Permission.find(...)
user.groups.any? do |group|
  group.permissions.include?(target_permission)}
end