Don't secure the controller method, secure the record. In a schema where:
User :has_many Thingies
you can do:
current_user.thingies.find(params[:id])
Where current_user is typically instantiated by your authentication filter. This effectively scopes the find only to those thingies that belong to a particular user.
Good question. Obviously, you are moving more toward an ACL or role-based authentication system, so it's not as simple as keeping people out of each others' data. If you created a habtm relationship instead of has_many, your data records could belong to both the user-level owner and also the admin. Just a thought.