There are a lot of rails plugins out there that handle user permissions. I'm impressed with the implementation in the hobo gem, but I'm not sure if I can use just this feature and not the other parts. GateKeeper is a really clever implementation, but has some bugs, though it's small enough I could probably fix it myself. Restful_ACL gives you a class method for checking creation, meaning you can't do any checks on the instance in question (not sure if it does scoped finds).
I'd like something that provides a scoped version of ActiveRecord#find which only finds things the current user is allowed to see. This should be robust enough to say, you can only see pictures that are in galleries that are owned by you or one of your friends.
As a bonus, it could prevent creates or updates (in a before_* or validation step) that you don't have the right to perform, including associating your own records with a different user or gallery, or creating such records.