Session variable model validation

I am trying to implement a basic user permissions system with three access levels; 1, 2, and 3 (with 1 being the highest). A user should be able to create a new user but they should only at or below their own permissions level. e.g. a level 2 user who is logged in should only be able to create a level 2 or level 3 user.

I have sessions set up such that a user must be logged in to access the site and their user_id is stored in a session variable. The new and edit views for the User model are designed so that only the appropriate levels are displayed to the user. This is achieved by retrieving the user_id from the session data, getting current users level, and using the information to populate a drop down list.

I would like to add validation to my Users model to check that the user who is adding user has the appropriate access level. This should protect the database against someone bypassing the form.

I have tried to add the custom validation seen below but the session variable :user_id is not available to the model.

def appropriate_level     user = User.find(session[:user_id])     errors.add_to_base("Cannot set user level above #{user.level}" ) if level > user.level   end

Any ideas?

Pass down the current user in some way (eg have an instance variable called created_by. Doesn't have to be reflected in the database if you don't want it to.)