In my situation, my ID parameter (to_param) was named slug rather than id, which caused the authorization not to work as expected. However, the source code stated that you specify an id_param: for these situations.

authorize_resource id_param: :slug

This change resolved my issue.