From the documentation on authorizing controller actions:
# app/controllers/users_controller.rb
def settings
@user = User.find(params[:id])
authorize! :settings, @user
end
This assumes that you've properly established your access parameters as such:
# app/models/ability.rb
can :settings, User do |u|
user.id == u.id
end