Validations: Controller Filters vs. Model validate()

Lately I have come to somewhat of a dilemma. Consider I have a Forum
model. A Forum belongs_to a Group, but not any one particular User. To
create a Forum, however, the Membership association between the User
and the Group must be at an admin-level (integer value is 3). In the
controller I use the before_filter called 'require_group_admin' to
ensure proper permissions. The problem is that in the Forum validate()
method, I cannot make sure that the user creating it has sufficient
permissions without adding a user_id foreign key.

Consider an opposite example. A Group also has_many Events. To create
an Event, just like a Forum, the User's Membership association with
the Group (:through) must be 3. As such, I use the same before_filter
in the controller as in the previous example. However, this time in
the validate() method of the Event class I can choose to make sure the
User has proper permissions because it belongs_to a User. This would
have to be done via something like:

"self.user.membership.find_by_group_id(group).status == 3"

Something very similar is required in the before_filter
'require_group_admin' to make sure the User can do that. I was told
that before_filters should be used to protect the viewing of files;
models to protect the actual data itself. So in theory I should be
using both. But I am repeating myself, thereby violating the infamous
DRY. And add to that the fact that I am doing two extra queries, if
not more ("self.user.membership" == find user, find membership by
user?).

Am I missing something here? Am I supposed to use both validations? If
so, what about in the first case? It doesn't make sense for a single
forum to "belong" to a user! Responses greatly appreciated!

- Michael