def show
authorize @photo
end

When you pass the authorize method an instance of Photo:

It assumes there is a class called PhotoPolicy in app/policies.

It assumes there is a method called current_user.

It passes current_user as the first argument and whatever you pass to authorize (in this case, photo) as the second argument to a new instance of PhotoPolicy.

It calls a method named after the action with a ? appended on the new policy instance.

If it gets back false, it raises Pundit::NotAuthorizedError.