Session variable model validation

I am trying to implement a basic user permissions system with three
access levels; 1, 2, and 3 (with 1 being the highest). A user should be
able to create a new user but they should only at or below their own
permissions level. e.g. a level 2 user who is logged in should only be
able to create a level 2 or level 3 user.

I have sessions set up such that a user must be logged in to access the
site and their user_id is stored in a session variable. The new and edit
views for the User model are designed so that only the appropriate
levels are displayed to the user. This is achieved by retrieving the
user_id from the session data, getting current users level, and using
the information to populate a drop down list.

I would like to add validation to my Users model to check that the user
who is adding user has the appropriate access level. This should protect
the database against someone bypassing the form.

I have tried to add the custom validation seen below but the session
variable :user_id is not available to the model.

def appropriate_level
    user = User.find(session[:user_id])
    errors.add_to_base("Cannot set user level above #{user.level}" ) if
level > user.level

Any ideas?

Pass down the current user in some way (eg have an instance variable called created_by. Doesn't have to be reflected in the database if you don't want it to.)