CakePHP: Model Based Permissions?

Struggling with deciding how best to handle client-level authentication with the following model hierarchy:

Customer -> Shop -> Product (Personnel, EquipmentItem, etc.)

... where the Customer has many stores, a hasMany Products store (hasMany Staff, hasMany EquipmentItem, etc.).

I have established a HABTM relationship between the user and the client, which is simple and accessible through an Auth session or a static method in the user model if needed (see description below).

I am currently trying to evaluate the results in each model after the post-validation callback by checking the relationship with the Client based on the model that I request from the Clients to which the current User belongs. those. if the current model is a client, check the ID; if the current model is a Store, check Store.clientid and finally if Product, select the parent store from Item.storeid and check Store.clientid accordingly.

However, to conform to correct MVC, I return true or false from afterFind and then have to check the return from the caller - that's ok, but I can't imagine how to determine if Model-> find (or Model-> read, etc. .) returns false because of invalid id in search or because of client permissions in afterFind; it also means that I would have to modify every action.

Another method I played with is to evaluate the request in app_controller.beforeFilter and split the request into controller / action / id, I can then query the appropriate model and eval fields against Auth.User.clients to determine if the user has access to to the requested client. This looks ok, but leaves me no relation (afaik) to handle / controller / index - it seems logical that the index results will reflect client membership.

Errors in both involve a long list of conditional "rules" that I need to break down to determine where the current model / action / id is in the client context. All in all, both feel a little fragile and confusing to me.

Is there a third option that I'm not looking at?