where's my curation_concern?

byebug.txt

[82, 91] in /Users/atz/repos/sufia/app/controllers/concerns/sufia/works_controller_behavior.rb
   82:         end
   83:       end
   84: 
   85:       def save_permissions
   86:         byebug
=> 87:         @saved_permissions = curation_concern.permissions.map(&:to_hash)
   88:       end
   89: 
   90:       def permissions_changed?
   91:         @saved_permissions != curation_concern.permissions.map(&:to_hash)
(byebug) @curation_concern
nil
(byebug) curation_concern
nil
(byebug) 

byebug2.txt

(byebug) puts self.class.ancestors.join "\n"
CurationConcerns::GenericWorksController
Sufia::WorksControllerBehavior
Sufia::Breadcrumbs
CurationConcerns::CurationConcernController
Blacklight::AccessControls::Catalog
Blacklight::Base
Blacklight::SearchContext
Blacklight::SearchHelper
Blacklight::RequestBuilders
Blacklight::Configurable
#<Module:0x007fb5a6a070b8>
#<Module:0x007fb5a89d3338>
#<Module:0x007fb5a89d3360>
ApplicationController
CurationConcerns::ThemedLayoutController
Sufia::Controller
CurationConcerns::ApplicationControllerBehavior
Hydra::Controller::ControllerBehavior
Blacklight::SearchFields
#<Module:0x007fb5a9d97e00>
Blacklight::Controller
#<Module:0x007fb5a6edd8d0>
#<Module:0x007fb5a6a613b0>
#<Module:0x007fb5a6a61450>
ActionController::Base
DeviseGuests::Controllers::UrlHelpers
DeviseGuests::Controllers::Helpers
Devise::Controllers::UrlHelpers
Devise::Controllers::Helpers
Devise::Controllers::StoreLocation
Devise::Controllers::SignInOut
Turbolinks::Redirection
Turbolinks::Controller
Flipflop::Strategies::AbstractStrategy::RequestInterceptor
ActiveRecord::Railties::ControllerRuntime
ActionDispatch::Routing::RouteSet::MountedHelpers
ActionController::RespondWith
BreadcrumbsOnRails::ActionController
CanCan::ControllerAdditions
ActionController::ParamsWrapper
ActionController::Instrumentation
ActionController::Rescue
ActionController::HttpAuthentication::Token::ControllerMethods
ActionController::HttpAuthentication::Digest::ControllerMethods
ActionController::HttpAuthentication::Basic::ControllerMethods
ActionController::DataStreaming
ActionController::Streaming
ActionController::ForceSSL
ActionController::RequestForgeryProtection
AbstractController::Callbacks
ActiveSupport::Callbacks
ActionController::FormBuilder
ActionController::Flash
ActionController::Cookies
ActionController::StrongParameters
ActiveSupport::Rescuable
ActionController::ImplicitRender
ActionController::BasicImplicitRender
ActionController::MimeResponds
AbstractController::Caching
AbstractController::Caching::ConfigMethods
AbstractController::Caching::Fragments
ActionController::Caching
ActionController::EtagWithTemplateDigest
ActionController::ConditionalGet
ActionController::Head
ActionController::Renderers::All
ActionController::Renderers
ActionController::Rendering
ActionView::Layouts
ActionView::Rendering
ActionController::Redirecting
ActiveSupport::Benchmarkable
AbstractController::Logger
ActionController::UrlFor
AbstractController::UrlFor
ActionDispatch::Routing::UrlFor
ActionDispatch::Routing::PolymorphicRoutes
ActionController::Helpers
AbstractController::Helpers
AbstractController::AssetPaths
AbstractController::Translation
AbstractController::Rendering
ActionView::ViewPaths
#<Module:0x007fb5a1689530>
ActionController::Metal
ActionController::Testing::Functional
AbstractController::Base
ActiveSupport::Configurable
ActiveSupport::ToJsonWithActiveSupportEncoder
Object
PP::ObjectMixin
ActiveSupport::Dependencies::Loadable
JSON::Ext::Generator::GeneratorMethods::Object
ActiveSupport::Tryable
Kernel
BasicObject
nil

The problem turned out to be the order of filters. By having before_action in a Module included block, they end up happening before the CanCan load_and_authorize_resource-supplied filters. This is why callbacks are such a robust source of pain.