Bruce Perens is working on model security for Active Record sponsored by Sourcelabs:

I’ve developed ModelSecurity, a new Ruby on Rails facility that helps
developers implement a security defense in depth by implementing
access control within the data model.

If you are like most developers, you think about security when you
program controllers and views. But a bug in your controller or view can
compromise the security of your application, unless your data model has
also been secured.

The economical, flexible, and extremely readable means of specifying
access controls provided by ModelSecurity makes it easier for the
developer to think about security, and makes security assumptions that
might otherwise live in one developers head concrete and communicable
to others.

Please check it out and give Bruce a hand with testing.