There’s a way to hack rails to make this happen. It violates every MVC convention known and is a horrible idea.
The best approach is to do what you suggested… set it in the controller.
Yikes!
I don't think it's such a horrible idea if implemented properly. I'm successfully using a slightly modified version of Bruce Perens' ModelSecurity library quite successfully.
The very high-level idea is:
* The User model (or its equivalent) has a "current" method that returns a User object representing the currently logged-in user. All model code that needs to know the current user accesses User.current
* A before_filter in ApplicationController assigns User.current
* Thread-local storage is used to hold the value, since globals aren't thread-safe.