Hi everyone I'm using devise for authentication. I have a User model and a Company Profile model. The Company Profile model belongs to a User. But a User can receive a request from other user to see its Company Profile info. Once the request is accepted, the user can then see that profile. I would like to know what is the best way of doing this: 1) If I create the Company Profile as a nested resource from user, how can I permit other user to see once I always have to have the user_id how owns the profile ? 2) Use Can Can and create a rule table where I store user_id, company_id, role and add to this table permissions for admin (the owner) and read (for users how are authorised) ? Any other ideas ? Company Profile Model: class Empresa < ActiveRecord::Base validates :tipo, presence: true validates :apelido, :uniqueness => true validates :cpf_cnpj, :uniqueness => true validates :nome, presence: true validates :slug, :uniqueness => true TIPO = [ 'Atacadista', 'Varejista', 'Atacadista e Varejista', 'Representantes', 'Serviços', 'Imprensa' ] validates :tipo, inclusion: { in: TIPO } before_validation :gera_slug belongs_to :usuario, dependent: :destroy def to_param slug end def gera_slug self.slug ||= apelido.parameterize if apelido end end User Model: class Usuario < ActiveRecord::Base # after_create :send_welcome_email #has_one :empresas, dependent: :destroy # Include default devise modules. Others available are: # :confirmable, :lockable, :timeoutable and :omniauthable devise :database_authenticatable, :registerable, :recoverable, :rememberable, :trackable, :validatable validates :email, :presence => true, :uniqueness => true, :format => { :with => /\A[^@\s]+@([^@.\s]+\.)*[^@.\s]+\z/ } # has_one :empresas, dependent: :destroy # accepts_nested_attributes_for :empresas # private # def send_welcome_email # UserMailer.signup_confirmation(self).deliver # # redirect_to self, notice: "Conectado com sucesso. Enviamos um email de boas vidas, verifique se você o recebeu pois será nossa forma de comunicação !" # end end User controller: Devise, nothing changed Company Profile controller: class EmpresasController < ApplicationController before_filter :authenticate_usuario! before_action :set_empresa, only: [:show, :edit, :update, :destroy] def index @empresa = @usuario.empresas end def show # @empresa.find(params[:usuario_id]) # @empresa = @usuario.empresas # @empresa = Empresa.find(params[:slug]) # if !@empresa # redirect_to new_usuario_empresa_path(current_usuario) # end end def new @empresa = @usuario.empresas.new @usuario.empresas.build end def edit # @empresa = @usuario.empresas end def create @empresa = @usuario.empresas.new(empresa_params) respond_to do |format| if @empresa.save format.html { redirect_to usuario_empresa_path(@usuario,@empresa), notice: 'Cadastro efetuado com sucesso !' } format.json { render :show, status: :created, location: usuario_empresa_path(@usuario,@empresa) } else format.html { render :new } -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-core+unsubscribe@googlegroups.com. To post to this group, send email to rubyonrails-core@googlegroups.com. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/d/optout.