What is a common approach to scope records by those that an user can “read”?

Question

I am using Ruby on Rails 3.2.2 and I would like to know what is a common approach when it must be checked if an user has proper authorizations to \"read\" records present in

Answer 1

I had the same issue on a system I'm currently worked on.

The most efficient way I found was to implement a batch job that pre-calculates the authorization state of each record. I went with something like accessible_by_companies and stored an array with all the company codes that could access those records, but you might as well work with accessible_by_users if that's your case.

On the "show" action, I recalculate the list of authorized companies for the record, use it to perform the authorization check, and store it again.

I used ElasticSearch to store the pre-calculated values and all the data I needed to perform queries and listings. The database is only touched when viewing a record or by the batch job. There's a big performance gain on this approach, give it a try.