I'm setting up a private site where users have access to a limited set of data. Attached is a high level view of the model diagram (exported from RubyMine)
Users are members of organizations and should only be able to view data associated with their organizations. It's easy enough to limit viewing data at the organizations level but where I'm a bit stuck is how to limit access to say a floor which belong to a building which in turn belong to an organizations.
Am I going to have to navigate the whole tree back up to organization in each models view_permitted? or is there a simpler way?
Ie for the floor model
def view_permitted?(field)
acting_user.employee? || acting_user.administrator? || this.building.organization.users.include?(acting_user)
end