• En controlador
• Helper

Métodos

Controlador

# app/controllers/application_controller.rb

def can_access?
    current_uri = request.env['PATH_INFO']
    unit_id = current_uri.split('/')[2].to_i
    unit = Unit.find(unit_id)
    user = current_user
    model = Model.find_by_name(controller_name.classify.constantize.to_s)
    action = Action.find_by_name(action_name.to_s)

    error=0
    user.roles.each do |role|
      if role.unit.id == unit_id
        error=1
        rma = Rma.where(role_id: role.id , model_id: model.id, action_id: action.id).first
        unless rma.nil?
          return true
        end
      end
    end

    # redirigir según si la persona no tiene acceso a la unidad o no tiene los permisos para realizar la acción
    if error==1
        redirect_to root_path, notice: 'acceso denegado, no tiene permisos para la acción ' +action_name.to_s+ ' del modelo '+controller_name.classify.constantize.to_s
    else
      # error==0
      redirect_to root_path, notice: 'acceso denegado, no pertenece a la unidad'
    end
end

# app/helpers/application_helper.rb

def can?(model_name, action_name)
    model = Model.find_by_name(model_name)
    action = Action.find_by_name(action_name)
    user = current_user
    if user.has_role?(:admin)
      return true
    end
    user.roles.each do |role|
      rma = Rma.where(role_id: role.id, model_id: model.id, action_id: action.id)
      unless rma.empty?
        return true
      end
    end
    return false
end

Helper

En cada controlador:

# app/controller/articles_controller.rb

class ArticlesController < ApplicationController
  before_action :can_access?

  def action
   ...
  end
end

• Agregar un before_action : can_access?

En las Vistas:

# app/views/buy_orders/index.erb

<% if can? :BuyOrder, :create  %>
  <%= link_to 'New Buy order', new_unit_buy_order_path %>
<% end %>

• Usar helper can?