Data from DB based on role

I'm creating a rails app requiring an ACL system to grant different priviledges to users, but I have some doubts on how to structure it.

Right now I have three users: Administrator > Area manager > Employee

I'm able to distinguish between users and block certain actions or controllers based on the role. What I don't get is how to manage in a clean way situations where different kind of users access the same action, but have to display and get different data from the database.

Example:

An employee has_many :documents , and in the index action of the documents_controller I have to get HIS documents (something like current_user.documents), but an area manager accessing the same action has to get ALL the documents (Document.find(:all))

I can't think of a clean way to implement this avoiding conditions in the controller like "if the user is a X, find(something) else find(something else)"

Thanks in adavance for your suggestions

You'll have to scope the find at some point, and if this requirement is really pervasive, I'd recommend creating a find_using_role_or_id method (or something like that) which at least lets you write and maintain that "find scoping" code in a single place, not in every controller's index method.

Patch it in to ActiveRecord, or create an abstract class that sits between ActiveRecord and the rest of your models and implements the method.

Ar Chron wrote:

You'll have to scope the find at some point, and if this requirement is really pervasive, I'd recommend creating a find_using_role_or_id method (or something like that) which at least lets you write and maintain that "find scoping" code in a single place, not in every controller's index method.

Patch it in to ActiveRecord, or create an abstract class that sits between ActiveRecord and the rest of your models and implements the method.

Thanks for your reply. It's a good suggestion, but in fact the scope is not limited to the find, sometimes I have to perform some code in the controller not related to AR but different from user to user.

In the past in thos situations I used to create a different namespace for every user, with shared views, but this has the disadvantage to have a lot of controllers which are really similar