This is a perfect time/place/example for you to think on Authorization as well not just Authentication (authlogic).
With the gem declarative_authorization its a child's play to do this. You could just simply specify rules in the authorization rules:
authorization do
role :user do
has_permission_on :membership_cards, :to => :create do
if_attribute :organization => is {user.organization}
end
end
end
See Railscast - #188 about using these gems together.
====== After update on question information: ======
"CanCan was inspired by declarative_authorization and aegis" - from github-cancan
I looked it up how would you define such a rule with CanCan and there is a snippet on the page defining abilities for CanCan
class Ability
def initialize(user)
user ||= User.new # guest user (not logged in)
can :create, MembershipCard do |card|
card.organization.user == user
end
end
end
You still need to customize it for your enviorement, but it should guide you to the solution.
See Railscast - 192 about using CanCan.