Cancan authorizing child state-Collection of common programming errors

My setup: Rails 3.0.9, Ruby 1.9.2, Cancan 1.6.5

My models:

class User
 has_many :projects

class Project
 has_many :tasks
 belongs_to :user

class Task
 belongs_to :project

ability.rb

can :manage, Task, :project => { :user_id => user.id } 

What I need is to only allow access to a task if user and project are authorized and project has a certain status determined by a project instance method like active? (I have a reason for not making it just an attribute). What’s the syntax for specifying the ability?