Declarative_authorization permissions for roles

I am trying to add authorization to a fairly large application that already exists, but I need to confuse the details a bit.

Here's the background:

In our application, we have a number or roles that are hierarchical, something like this:

BasicUser -> SuperUser -> Admin -> SuperAdmin

For authorization, each instance of the user model has an attribute "role", which corresponds to the above.

We have a RESTful "Users" controller, which is referred to as Backoffice. So, briefly this is Backoffice :: UsersController.

class Backoffice::UsersController < ApplicationController
  filter_access_to :all
  #... RESTful actions + some others
end

So here is the problem:

We want users to be able to allow users to edit users, but ONLY if they have a "smaller" role than they currently have. I created the following in authorization_rules.rb

authorization do
  role :basic_user do
    has_permission_on :backoffice_users, :to => :index
  end
  role :super_user do
    includes :basic_user
    has_permission_on :backoffice_users, :to => :edit do
      if_attribute :role => is_in { %w(basic_user) }
    end
  end
  role :admin do
    includes :super_user
  end
  role :super_admin do
    includes :admin
  end
end

, , , , , .

• ,
• ,

if_attribute:

if_attribute :role => is { 'basic_user' }
if_attribute :role => 'basic_user'

. - ?