The number one feature request for our role-based permissions gem Aegis is support for multiple roles per user. It's also the one request we refuse to implement on a weekly basis.
Our belief is that you should only distinguish roles that have fundamentally different ways of resolving their permissions. A typical set of roles would be
- anonymous guest (has access to nothing with some exceptions)
- signed up user (has access to some things depending on its attributes and associations)
- administrator (has access to everything)
We don’t do multiple, parametrized roles like "leader for project #2" and "author of post #7". That would be reinventing associations. Just use a single :user role and let your permission block query regular associations and attributes.