CanCan Nested Resource Controller Authorization

In my application, a user is allowed to assign another user as their "account manager" and the account manager would be allowed to modify all user info. I defined the following ability:

can :manage, User do |user|开发者_JAVA百科
    user == current_user or user.account_manager == current_user
end

A user also has some nested resources (e.g: publications). I defined the following ability:

can :manage, Publication do |publication, user|
    publication.user == current_user or user == current_user or user.account_manager == current_user
end

In the views I check using the following:

can? :update, @publication, @user_we_are_accessing

can? :create, Publication.new, @user_we_are_accessing.

Everything works just fine so far. My problem is with the controller. In my PublicationsController I added:

load_and_authorize_resource :user

load_and_authorize_resource :publication, :through => :user

However this always throws AccessDenied, because the check for publication is not passing the user object to the ability (trying to inspect the user object in the ability shows nil).

Any ideas how I can go about implementing this?

tl;dr: Using CanCan to authorize access to resources. User can assign another user as account manager. User has nested resources. Problem: nested resource is not accessible by account manager.

I solved this by doing the following:

1) replaced load_and_authorize_resource :publication with just loading the resource load_resource :publication
2) Added a before_filter :authorize after the load_resource call with the following implementaiton:

def authorize
    raise CanCan::AccessDenied unless can? :manage, @publication, @user
end

This works, but I was hoping for a way that would solve this in the devise way, if there is such a thing. Thoughts and feedback are appreciated.