This only took me a full hour

app/controllers/application_controller.rb

@@ -10,6 +10,7 @@ class ApplicationController < ActionController::Base
   end
 
   rescue_from CanCan::AccessDenied do |exception|
+    Rails.logger.debug "Access denied on #{exception.action} #{exception.subject.inspect}"
     respond_to do |format|
       format.json { render json: [ "Diefstal is een misdrijf." ], status: :forbidden }
       format.html { redirect_to root_path, flash: { error: message_for(exception) } }

app/controllers/orders_controller.rb

@@ -11,9 +11,10 @@
 #
 
 class OrdersController < ApplicationController
-  load_resource :user
+  load_and_authorize_resource :user
   load_and_authorize_resource :order, through: :user, shallow: true, only: [:overview, :destroy]
   load_and_authorize_resource :order, through: :user, only: [:new, :create]
+  skip_before_action :set_user!
 
   def new
     @products = Product.all.for_sale.order(:name)
@@ -21,7 +22,6 @@ class OrdersController < ApplicationController
   end
 
   def create
-    @order.user = @user
     if @order.save
       flash[:success] = @order.flash_success
       redirect_to root_path

app/controllers/welcome_controller.rb

@@ -1,5 +1,6 @@
 class WelcomeController < ApplicationController
   skip_before_filter :verify_authenticity_token, only: :token_sign_in
+  skip_before_action :authenticate_user!
 
   def index
   end