diff --git a/CHANGELOG.rdoc b/CHANGELOG.rdoc
index 59ddc20..6c5842e 100644
--- a/CHANGELOG.rdoc
+++ b/CHANGELOG.rdoc
@@ -1,3 +1,5 @@
+* Parent resources are now authorized with :read action.
+
 * Changing :resource option in load/authorize_resource back to :class with ability to pass false
 
 * Removing :nested option in favor of :through option with separate load/authorize call
diff --git a/lib/cancan/controller_resource.rb b/lib/cancan/controller_resource.rb
index 7cd0984..94d3ca7 100644
--- a/lib/cancan/controller_resource.rb
+++ b/lib/cancan/controller_resource.rb
@@ -30,7 +30,7 @@ module CanCan
     end
 
     def authorize_resource
-      @controller.authorize!(@params[:action].to_sym, resource_instance || resource_class)
+      @controller.authorize!(authorization_action, resource_instance || resource_class)
     end
 
     def parent?
@@ -41,14 +41,14 @@ module CanCan
 
     def load_resource_instance
       if !parent? && new_actions.include?(@params[:action].to_sym)
-        resource_base.kind_of?(Class) ? resource_base.new(attributes) : resource_base.build(attributes)
+        resource_base.kind_of?(Class) ? resource_base.new(@params[name.to_sym]) : resource_base.build(@params[name.to_sym])
       elsif id_param
         resource_base.find(id_param)
       end
     end
 
-    def attributes
-      @params[name.to_sym]
+    def authorization_action
+      parent? ? :read : @params[:action].to_sym
     end
 
     def id_param
diff --git a/spec/cancan/controller_resource_spec.rb b/spec/cancan/controller_resource_spec.rb
index 736042e..df9e104 100644
--- a/spec/cancan/controller_resource_spec.rb
+++ b/spec/cancan/controller_resource_spec.rb
@@ -137,6 +137,13 @@ describe CanCan::ControllerResource do
     @controller.instance_variable_get(:@ability).should == :some_ability
   end
 
+  it "should only authorize :read action on parent resource" do
+    stub(Person).find(123) { :some_person }
+    stub(@controller).authorize!(:read, :some_person) { raise CanCan::AccessDenied }
+    resource = CanCan::ControllerResource.new(@controller, {:controller => "abilities", :action => "new", :person_id => 123}, :person)
+    lambda { resource.load_and_authorize_resource }.should raise_error(CanCan::AccessDenied)
+  end
+
   it "should load the model using a custom class" do
     stub(Person).find(123) { :some_resource }
     resource = CanCan::ControllerResource.new(@controller, {:controller => "abilities", :action => "show", :id => 123}, {:class => Person})
@@ -148,7 +155,6 @@ describe CanCan::ControllerResource do
     stub(@controller).authorize!(:show, :ability) { raise CanCan::AccessDenied }
     resource = CanCan::ControllerResource.new(@controller, {:controller => "abilities", :action => "show", :id => 123}, {:class => false})
     lambda { resource.authorize_resource }.should raise_error(CanCan::AccessDenied)
-
   end
 
   it "should raise ImplementationRemoved when adding :name option" do