Authorise action with CanCan through model relationship

I'm using CanCan and Devise for the auth processes in an app and everything is working perfectly.

However, we have a setup in whi开发者_如何学运维ch users can create lists of items.

The List model has a user_id and the auth works fine on that, but the ownership of items is handled through the List :has_many Item relationship and Item doesn't actually have a user_id column.

How does CanCan handle this?

I tried

can :manage, Item do |item|
  item.list.user_id = user.id
end

but typing the Item id on the url gives every user access to every item, regardless of the List ownership.

I couldn't find anything that seemed to cover this in the wiki on Cancan's github so hoping someone here might be able to help

Looking forward to comments Thanks

Did you confuse = with ==?

can :manage, Item do |item|
  item.list.user_id == user.id
end