Help with Access Control


I am following the excellent tutorial
(post 5) on how to implement an access control feature i.e. only a
friend is allowed to view a profile of a particular member. I am not
using the restful authentication plugin as the author is using to
implement the authentication feature (post 1) in the tutorial. All I
am interested in is the post 5 where the author explains how to
implement access control. I have created the friends table and
followed post 5 step by step, unfortunately I am getting the following
error when I try to attempt to run the "show" method. Some tips will
really be helpful, many thanks in advance

   error: stack level too deep
reflection.rb:219:in `derive_class_name'
reflection.rb:106:in `class_name'
reflection.rb:129:in `klass'
reflection.rb:189:in `source_reflection'
reflection.rb:189:in `collect'
reflection.rb:189:in `source_reflection'
associations.rb:1128:in `new'
associations.rb:1128:in `pals'
  app/models/user.rb:17:in `has_pal?'
  app/controllers/users_controller.rb:20:in `show'


  line 16: def has_pal?(pal)
  line 17: self.pals.find(pal) ? true : false
  Line 18: end


  Line 18: def show
  Line 19: @info = User.find(params[:id])
  Line 20: unless current_user.has_pal?(@info)
  Line 21: redirect_to :controller => "users", :action => "index"
  Line 22: end
  Line 23: end

here is the full contents of the user model

require 'digest/sha1'
class User < ActiveRecord::Base
  has_many :pals
  has_many :pals, :through => :pals
# attr_accessor :password

  validates_presence_of :username
  validates_presence_of :password
  validates_presence_of :password_confirmation
  validates_length_of :password, :within => 4..40
  validates_confirmation_of :password
  validates_length_of :username, :within => 3..40
  validates_length_of :email, :within => 3..100
  validates_uniqueness_of :username, :email, :case_sensitive =>

    def has_pal?(pal)
  # self.pals.find(pal) ? true : false

  # errors.add_to_base("No password") if crypted_password.blank?
  # end

# Authenticates a user by their username name and unencrypted
password. Returns the user or nil.
  def self.authenticate(username, crypted_password)
    login = find_by_username(username) # need to get the salt
    if login
      expected_password = encrypted_password(crypted_password,
      if login.crypted_password != expected_password
        login = nil

def password
def password=(pw)
  @password = pw
  self.crypted_password = User.encrypted_password(self.password,

  def remember_token?
    remember_token_expires_at && <

  # These create and unset the fields required for remembering users
between browser closes
  def remember_me
    self.remember_token_expires_at = 2.weeks.from_now.utc
    self.remember_token = encrypt("#{email}--

  def forget_me
    self.remember_token_expires_at = nil
    self.remember_token = nil

    # before filter
    def self.encrypted_password(password, salt)
      string_to_hash = "#{password}wibble"+ salt

    def create_new_salt
      self.salt = self.object_id.to_s + rand.to_s