At present I have the following models:

users <-> permissions <-> objects

I wish to expand this to include groups, so that groups can contain
users and have permissions (a user might be part of more than one
group). However, the only way I see to do this is:

users <-> user_permissions <-> objects
users <-> group_memberships <-> groups <-> group_permissions <-> objects

Is there a nicer way to do this so that I only need one permissions
model, or is this the best way to do it?

Also, whichever way I do it, is there a nice way to make groups for
special cases such as “all users” and “administrators” without having
them in the database?

Thanks.

if you look at the code from the Rails Recipes book (
http://www.pragmaticprogrammer.com/titles/fr_rr/code.html) you’ll find a
potential solution in Recipe 32. It’s a bit lengthy to go into, and I’m
not
that hot at summarizing code, but basically you have this:

class User < ActiveRecord::Base
has_and_belongs_to_many :roles

other stuff

end

class Role < ActiveRecord::Base
has_and_belongs_to_many :users
has_and_belongs_to_many :rights
end

class Right < ActiveRecord::Base
has_and_belongs_to_many :roles
end

the rights table contains a field for name, controller, and action