I really hate to embed my authorization code into my business logic. There are some gems to prevent this evil. I’ve experience with pundit and cancan.
pundit
cancan