How can I restrict records by user accounts as a default_scope, or better solution?

[David McDonald]

I currently have two models, "User" and "Report".  I want to find out the best way of restricting reports from certain user groups.

Given the following three groups...

• General Manager
• Store Manager
• Employee

I would like to restrict the users from seeing certain reports.

• General Manager can see all reports - no restrictions
• Store Manager can see their reports and all employee reports
• Employee can see only their own reports

I've currently been restricting access by basically "if" statements in the partials, but it seems like only a matter of time before one of these fails (by my own logic).  So the idea came to me to try and set the "default_scope" based on what role the user has...  To my knowledge it doesn't work this way though.  What would be the equivalent of this though?  Or is there a better idea?  Thanks!

[Colin Law]

default_scope is a global scope. Several times I have used
default_scope thinking it is a good idea but every time I have
regretted it and had to remove it and find all the queries and put the
scope in manually. My advise is don't use default_scope.

For your problem you could use a parametrised scope that is given a
role and returns the appropriate records. So you could say something
like
@reports = Report.by_role(current_user.role)
though having looked again I see that you also want to include the
users own reports, in which case pass the user to the scope and do all
the logic in there, so
@reports = Report.visible_to_user(current_user)
That line would probably be in the controller.

Colin