I am working on Station, a Rails Engine  that supports authorization among
Using Station, you can ask a model about authorization, for example:
post.authorize?(permission, :to => current_user)
My question rises when doing automatic Model - Controller mapping. How coupled
should be the action in the controller with the permission authorized in the
Consider this resource:
This could map the authorization to the post instance this way:
Post.new.authorize?(:create, :to => current_user)
Post.find(params[:id]).authorize?(:show, :to => current_user)
I am not sure that the Controller actions should be mapped directly to the
Model permissions. There are cases when an action requires several
Post.find(params[:id]).authorize?(:show, :to => current_user) &&
Post.find(params[:id]).authorize?(:update, :to => current_user)
Maybe this mapping could be declared in the controller, maybe in the model...
Can anyone shed light on this?