pundit: make it work

app/controllers/mappings_controller.rb

@@ -8,7 +8,7 @@ class MappingsController < ApplicationController
   # GET /mappings/1.json
   def show
     @mapping = Mapping.find(params[:id])
-    authorize! @mapping
+    authorize @mapping
 
     render json: @mapping
   end
@@ -16,8 +16,8 @@ class MappingsController < ApplicationController
   # POST /mappings.json
   def create
     @mapping = Mapping.new(mapping_params)
-    authorize! @mapping
-
+    authorize @mapping
+    @mapping.user = current_user
     if @mapping.save
       render json: @mapping, status: :created
     else
@@ -28,7 +28,7 @@ class MappingsController < ApplicationController
   # PUT /mappings/1.json
   def update
     @mapping = Mapping.find(params[:id])
-    authorize! @mapping
+    authorize @mapping
 
     if @mapping.update_attributes(mapping_params)
       head :no_content
@@ -40,7 +40,7 @@ class MappingsController < ApplicationController
   # DELETE /mappings/1.json
   def destroy
     @mapping = Mapping.find(params[:id])
-    authorize! @mapping
+    authorize @mapping
 
     @mapping.destroy
 
@@ -50,6 +50,6 @@ class MappingsController < ApplicationController
   private
     # Never trust parameters from the scary internet, only allow the white list through.
     def mapping_params
-      params.require(:mapping).permit(:id, :xloc, :yloc, :mappable_id, :mappable_type, :map_id, :user_id)
+      params.require(:mapping).permit(:id, :xloc, :yloc, :mappable_id, :mappable_type, :map_id)
     end
 end