pundit: make it work

app/controllers/mappings_controller.rb

@@ -9,7 +9,7 @@ class MappingsController < ApplicationController
   # GET /mappings/1.json
   def show
     @mapping = Mapping.find(params[:id])
-    authorize! @mapping
+    authorize @mapping
 
     render json: @mapping
   end
@@ -17,8 +17,8 @@ class MappingsController < ApplicationController
   # POST /mappings.json
   def create
     @mapping = Mapping.new(mapping_params)
-    authorize! @mapping
-
+    authorize @mapping
+    @mapping.user = current_user
     if @mapping.save
       render json: @mapping, status: :created
     else
@@ -29,7 +29,7 @@ class MappingsController < ApplicationController
   # PUT /mappings/1.json
   def update
     @mapping = Mapping.find(params[:id])
-    authorize! @mapping
+    authorize @mapping
 
     if @mapping.update_attributes(mapping_params)
       head :no_content
@@ -41,7 +41,7 @@ class MappingsController < ApplicationController
   # DELETE /mappings/1.json
   def destroy
     @mapping = Mapping.find(params[:id])
-    authorize! @mapping
+    authorize @mapping
 
     @mapping.destroy
 
@@ -51,6 +51,6 @@ class MappingsController < ApplicationController
   private
     # Never trust parameters from the scary internet, only allow the white list through.
     def mapping_params
-      params.require(:mapping).permit(:id, :xloc, :yloc, :mappable_id, :mappable_type, :map_id, :user_id)
+      params.require(:mapping).permit(:id, :xloc, :yloc, :mappable_id, :mappable_type, :map_id)
     end
 end