[Rails] Philosophical question about MVC

Hi folks,
I am working on Station, a Rails Engine [1] that supports authorization among
other things.

Using Station, you can ask a model about authorization, for example:

post.authorize?(permission, :to => current_user)

My question rises when doing automatic Model - Controller mapping. How coupled
should be the action in the controller with the permission authorized in the
model?

Consider this resource:

class PostsController
authorization_filter
end

This could map the authorization to the post instance this way:

* create
Post.new.authorize?(:create, :to => current_user)
* show
Post.find(params[:id]).authorize?(:show, :to => current_user)

I am not sure that the Controller actions should be mapped directly to the
Model permissions. There are cases when an action requires several
permissions, like:

* edit
Post.find(params[:id]).authorize?(:show, :to => current_user) &&
Post.find(params[:id]).authorize?(:update, :to => current_user)

Maybe this mapping could be declared in the controller, maybe in the model...

Can anyone shed light on this?

[1] http://rstation.wordpress.com

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.