CanCan and Devise, restricting login based on Role

I've just finished setting up Devise on a single application, using a single开发者_如何学C User model with two scopes, so I can have an /admin/login as well as a regular /users/login path. This works pretty well, my config/routes.rb file looks like this:

devise_for :users,
           :path_names => { :sign_in => 'login', :sign_out => 'logout' }

devise_for :admins,
           :class_name => 'User',
           :skip => [:passwords, :registrations, :confirmations, :sessions],
           :controllers => { :sessions => 'admin/sessions' } do

  get 'admin/login' => 'admin/sessions#new', :as => :new_admin_session
  post 'admin/login' => 'admin/sessions#create', :as => :admin_session
  delete 'admin/logout' => 'admin/sessions#destroy', :as => :destroy_admin_session 
end     

This works pretty fine and dandy, I can log in to each side of the application without affecting the other. That is, the session names are separate and logging into one does not log you into the other.

Now, I've set up CanCan with my Roles model, and an Ability model, and have these defined in my database and working.

Question is, I want to be able to fill out the form on admin/login, and receive an error message because my Role doesn't allow me to log into that area. How can I accomplish this?

I am a bit confused by your question. If you are filling out the form on admin/login, then presumably you have not logged in yet?

If that's the case, then there is no current_user or current_admin and therefore nothing is passed to CanCan yet.

I have a similar set-up in my app and maintain different accounts on each side of the app. My user account is different than my admin account. If I forget and try to login to the admin side using my regular user account, I simply receive an unknown user/password error from Devise.