I’m trying to implement a primitive permissions system in my web app, and I want to know what you all think the best way to check permissions in my controllers. When I started writing the app, I originally thought it would be a good idea to use a before_filter, and my code ended up looking something like this:

before_filter :authenticate, :only => [:new, :create, :show, :edit, :update, :destroy, :delete]
before_filter :check_league_existence
before_filter :check_league_relation_existence, :except => [:new, :create, :index]
before_filter :check_ownership, :only => [:delete, :destroy]
before_filter :check_user_joinability, :only => [:new, :create]
before_filter :require_moderator, :only => [:edit, :update]

With my filters looking something like this:

def check_league_relation_existence
  raise ActiveRecord::RecordNotFound.new('Not Found') unless current_league_relation && current_league.league_relations.include?(current_league_relation)
end

def check_ownership
  raise ActionController::RoutingError.new('You do not own this league relation. Permission Denied.') unless current_league_relation.user == current_user || current_user_league_relation.moderator?
end

Now this system does work to some degree, but it has a number of problems. The two biggest of which are: 1) It is hard to understand what is going on because there are so many filters, and 2) I do not know how to write functional tests for this, because the errors are always picked up when testing unauthorized access. Does anyone have any suggestions as to a better way to check permissions?