Added Pundit.

Gemfile

@@ -14,6 +14,7 @@ gem 'puma', '~> 3.11'
 gem 'devise', '~> 4.4'
 gem 'devise-i18n', '~> 1.6'
 gem 'simple_form', '~> 4.0'
+gem 'pundit', '~> 1.1'
 
 # Use SCSS for stylesheets
 gem 'sass-rails', '~> 5.0'

Gemfile.lock

@@ -162,6 +162,8 @@ GEM
       pry (>= 0.10.4)
     public_suffix (3.0.2)
     puma (3.11.4)
+    pundit (1.1.0)
+      activesupport (>= 3.0.0)
     rack (2.0.5)
     rack-proxy (0.6.4)
       rack
@@ -296,6 +298,7 @@ DEPENDENCIES
   pry-byebug
   pry-rails
   puma (~> 3.11)
+  pundit (~> 1.1)
   rails (~> 5.2.0)
   rails-i18n (~> 5.1)
   rubocop (~> 0.56.0)

app/controllers/application_controller.rb

@@ -1,4 +1,7 @@
 class ApplicationController < ActionController::Base
+  include Pundit
+  rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
+
   before_action :configure_devise_parameters, if: :devise_controller?
 
   protected
@@ -7,4 +10,9 @@ class ApplicationController < ActionController::Base
     devise_parameter_sanitizer.permit(:sign_up, keys: [:tos_accepted])
     devise_parameter_sanitizer.permit(:account_update, keys: [:notifications_enabled])
   end
+
+  def user_not_authorized
+    flash[:alert] = I18n.t("user_not_authorized", scope: :flashes)
+    redirect_to(request.referrer || root_path)
+  end
 end

app/policies/application_policy.rb

@@ -0,0 +1,53 @@
+class ApplicationPolicy
+  attr_reader :user, :record
+
+  def initialize(user, record)
+    @user = user
+    @record = record
+  end
+
+  def index?
+    false
+  end
+
+  def show?
+    scope.where(id: record.id).exists?
+  end
+
+  def create?
+    false
+  end
+
+  def new?
+    create?
+  end
+
+  def update?
+    false
+  end
+
+  def edit?
+    update?
+  end
+
+  def destroy?
+    false
+  end
+
+  def scope
+    Pundit.policy_scope!(user, record.class)
+  end
+
+  class Scope
+    attr_reader :user, :scope
+
+    def initialize(user, scope)
+      @user = user
+      @scope = scope
+    end
+
+    def resolve
+      scope
+    end
+  end
+end