How would you implement an authorization system in Rails?

Let's say you have users-or-members in your application and each user has his/her own contacts. How would you implement the functionality to allow user1 to add/modify contacts for user2, but not delete.

Basically what I am looking for is a flexible way for users to allow each other to modify some and parts of their resources.