I am trying to implement a basic user permissions system with three access levels; 1, 2, and 3 (with 1 being the highest). A user should be able to create a new user but they should only at or below their own permissions level. e.g. a level 2 user who is logged in should only be able to create a level 2 or level 3 user.
I have sessions set up such that a user must be logged in to access the site and their user_id is stored in a session variable. The new and edit views for the User model are designed so that only the appropriate levels are displayed to the user. This is achieved by retrieving the user_id from the session data, getting current users level, and using the information to populate a drop down list.
I would like to add validation to my Users model to check that the user who is adding user has the appropriate access level. This should protect the database against someone bypassing the form.
I have tried to add the custom validation seen below but the session variable :user_id is not available to the model.
def appropriate_level user = User.find(session[:user_id]) errors.add_to_base("Cannot set user level above #{user.level}" ) if level > user.level end
Any ideas?
