Nested and non-nested resources, and admin restrictions

This is a fairly long question, but it's a common one that applies to a lot of applications. Here goes!

Many apps have/want a setup similar to this:

1) ModelA has many ModelBs (Eg: User has many Photos).
2) Admins CRUD all photos at /photos and beyond (Eg: /photos/1/edit).
3) Admins CRUD User photos at /user/1/photos and beyond.
4) Users CRUD their photos at /account/photos and beyond.

Some people don't bother with #2, because photos can be CRUDed via #3. However, I want #2 because it gives you a higher/broader view of the Photos resource.

I'm trying to figure out an efficient, DRY/semi-DRY way of implementing this. At the moment:

For #2 above, I've:
1) Restricted PhotosController to admins.
2) Created a Photos resource (map.resources :photos).

For #3 above, I've:
1) Nested a Photos resource within the Users resource:
      map.resources :users, :has_many => :photos

For #4 above, I've:
1) Created Account::PhotosController, which restricts photos to the current user (account).
2) Nested Account::PhotosController within the Account singleton resource:
      map.resource :account do |account|
        account.resources :photos, :controller => 'account/photos'
      end

Everything but #3 works perfectly. /user/1/photos calls PhotosController#index , which finds all photos, rather than finding only photos belonging to user 1.

I've come up with a few solutions, but don't feel that any of them are ideal.

Solution #1:
Create a whole new controller, which finds photos within the specified user. However, this would duplicate 95% of PropertiesController, which is pretty dirty.

Solution #2:
Create a method in PhotosController that abstracts the finding of photos. However, this feels wrong because it's mixing functionality between two different resources (photos vs user-photos).
See http://pastie.org/pastes/322733

Solution #3:
Create a new controller which inherits from PhotosController, and add a bit of logic to PhotosController to prevent it from finding photos when they've already been found.
See http://pastie.org/322734

Solution #4:
Use the resource_controller plugin. However, I find that r_c limits what I can do in some controller actions. For example, r_c only provides customisable failure scenarios for #create, #update and #destroy, while I need to customise every action's failure scenario.

So, what do you guys think of those solutions, and are there any other solutions that are more ideal?

Cheers,
Nick