Share information between users

Hi everyone

I’m using devise for authentication. I have a User model and a Company
Profile model. The Company Profile model belongs to a User. But a User
can
receive a request from other user to see its Company Profile info. Once
the
request is accepted, the user can then see that profile.

I would like to know what is the best way of doing this:

  1. If I create the Company Profile as a nested resource from user, how
    can
    I permit other user to see once I always have to have the user_id how
    owns
    the profile ?

  2. Use Can Can and create a rule table where I store user_id,
    company_id,
    role and add to this table permissions for admin (the owner) and read
    (for
    users how are authorised) ?

Any other ideas ?

Company Profile Model:

class Empresa < ActiveRecord::Base
        validates :tipo, presence: true
        validates :apelido, :uniqueness => true
        validates :cpf_cnpj, :uniqueness => true
        validates :nome, presence: true
        validates :slug, :uniqueness => true

        TIPO = [
        'Atacadista',
        'Varejista',
        'Atacadista e Varejista',
        'Representantes',
        'Serviços',
        'Imprensa'
        ]

        validates :tipo,
                  inclusion: { in: TIPO }

        before_validation :gera_slug
        belongs_to :usuario, dependent: :destroy

        def to_param
            slug
        end

        def gera_slug
            self.slug ||= apelido.parameterize if apelido
        end
    end

User Model:

class Usuario < ActiveRecord::Base
# after_create :send_welcome_email
#has_one :empresas, dependent: :destroy
# Include default devise modules. Others available are:
# :confirmable, :lockable, :timeoutable and :omniauthable
devise :database_authenticatable, :registerable,
:recoverable, :rememberable, :trackable, :validatable
validates :email,
:presence => true,
:uniqueness => true,
:format => { :with =>
/\A[^@\s]+@([^@.\s]+.)*[^@.\s]+\z/ }

      # has_one :empresas, dependent: :destroy
      # accepts_nested_attributes_for :empresas
    # private

    #     def send_welcome_email
    #           UserMailer.signup_confirmation(self).deliver
    #       # redirect_to self, notice: "Conectado com sucesso. 

Enviamos um email de boas vidas, verifique se você o recebeu pois será
nossa forma de comunicação !"
# end

    end

User controller: Devise, nothing changed

Company Profile controller:

class EmpresasController < ApplicationController
before_filter :authenticate_usuario!

        before_action :set_empresa, only: [:show, :edit, :update, 

:destroy]

        def index
            @empresa = @usuario.empresas
        end
        def show
            # @empresa.find(params[:usuario_id])
            # @empresa = @usuario.empresas
            # @empresa = Empresa.find(params[:slug])
            # if !@empresa
            #     redirect_to 

new_usuario_empresa_path(current_usuario)
# end
end
def new
@empresa = @usuario.empresas.new
@usuario.empresas.build
end
def edit
# @empresa = @usuario.empresas
end

        def create
            @empresa = @usuario.empresas.new(empresa_params)
            respond_to do |format|
              if @empresa.save
                format.html { redirect_to 

usuario_empresa_path(@usuario,@empresa), notice: ‘Cadastro efetuado com
sucesso !’ }
format.json { render :show, status: :created,
location: usuario_empresa_path(@usuario,@empresa) }
else
format.html { render :new }