use a controller method to handle cancan denials