Share information between users

Hi everyone

I’m using devise for authentication. I have a User model and a Company Profile model. The Company Profile model belongs to a User. But a User can receive a request from other user to see its Company Profile info. Once the request is accepted, the user can then see that profile.

I would like to know what is the best way of doing this:

  1. If I create the Company Profile as a nested resource from user, how can I permit other user to see once I always have to have the user_id how owns the profile ?

  2. Use Can Can and create a rule table where I store user_id, company_id, role and add to this table permissions for admin (the owner) and read (for users how are authorised) ?

Any other ideas ?

Company Profile Model:

    class Empresa < ActiveRecord::Base
            validates :tipo, presence: true
            validates :apelido, :uniqueness => true
            validates :cpf_cnpj, :uniqueness => true
            validates :nome, presence: true
            validates :slug, :uniqueness => true

            TIPO = [
            'Atacadista e Varejista',

            validates :tipo,
                      inclusion: { in: TIPO }

            before_validation :            gera_slug
belongs_to :usuario, dependent: :
def to_param

            def gera_slug
self.slug ||= apelido.parameterize if apelido

User Model:

   class Usuario < ActiveRecord::Base
          # after_create :send_welcome_email
          #has_one :empresas, dependent: :destroy
          # Include default devise modules. Others available are:
          # :confirmable, :lockable, :timeoutable and :omniauthable
          devise :database_authenticatable, :registerable,
                 :recoverable, :rememberable, :trackable, :          validatable
validates :email,
                    :presence => true,
                    :uniqueness => true,
                    :format => { :with => /\A[^@\s]+@([^@.\s]+\.)*[^@.\s]+\z/ }

          # has_one :empresas, dependent: :destroy
          # accepts_nested_attributes_for :empresas
        # private

        # def send_welcome_email
        # UserMailer.signup_confirmation(self).deliver
        # # redirect_to self, notice: "Conectado com sucesso. Enviamos um email de boas vidas, verifique se você o recebeu pois será nossa forma de comunicação !"
        # end


User controller: Devise, nothing changed

Company Profile controller:

 class EmpresasController < ApplicationController
            before_filter :authenticate_usuario!

            before_action :set_empresa, only: [:show, :edit, :update, :destroy]

            def index
@empresa = @usuario.            empresas
            def show
# @empresa.find(params[:usuario_id])
                # @empresa = @usuario.empresas
                # @empresa = Empresa.find(params[:slug])
                # if !@empresa
                # redirect_to new_usuario_empresa_path(current_usuario)
          # end
            def new
                @empresa =
                @usuario.empresas.            build
            def edit
# @empresa = @usuario.empresas

            def create
@empresa =
                respond_to do |format|
                  if @empresa.                    save
format.html { redirect_to usuario_empresa_path(@usuario,@empresa), notice: 'Cadastro efetuado com sucesso !' }
                    format.json { render :show, status: :created, location: usuario_empresa_path(@usuario,@empresa) }
                    format.html { render :new }