Moving Permission Logic to the Model

Ideally what I would like to have happen:
Contact.find (and .find_by_xyz, etc) will never return a contact
unless is IN

User belongs to a Contact.
Contact belongs to a Group.
Group belongs to a SuperGroup.

Contact has permissions to access the directory listing of other users
of the same SuperGroup, but no one else.

There is never a case where Contact.find (or its derivatives
- .find_by_xyz) is called unless a User, which has_one Contact is
logged in.

What I want assistance with:
How can I put this constraint into the model?
There will never be an exception to this rule so I don't want to use a
named scope unless that's the only way. I want to override every
default find for this class, but I don't know how.

How about default_scope?


That is exactly what I was looking for.

Thanks so much Colin.