I am new to RoR and RESTful. I just listened to the David's keynote at RailsConf and I think the what suggested above are not the RESTful way.
What's not RESTful about it?
According to David, the RESTful way of modeling what you have there is to introduce a new active model called (for example) Writings, which represents the relationship of a user's articles. Then creating a Writing object is adding an article to the user and you can easily check the permission by trying to find the Writing object by both user_id and article_id.
Any thoughts?
User#articles already represents the relationship between a user and his articles. Throwing something in between is just some weird overhead.
You can of course really easily handle permissions by calling current_user.articles.find(params[:id]). That does the scoping for you and everything.
The "missing model" usually occurs with a many to many relationship.
Pat