diff --git a/app/controllers/concerns/submission_controller.rb b/app/controllers/concerns/submission_controller.rb
index a6099958d647fec9337ef049125a8d5ae9a3dea7..3bb83748a7f7e4aa38768f79fcb1171ea56b2c66 100644
--- a/app/controllers/concerns/submission_controller.rb
+++ b/app/controllers/concerns/submission_controller.rb
@@ -25,7 +25,7 @@ module SubmissionController
     private
 
     def submitted
-        return @learning_object.state == "submitted"
+        return @learning_object.submitted?
     end
 
     def set_new_submission
diff --git a/app/controllers/v1/learning_objects/publishes_controller.rb b/app/controllers/v1/learning_objects/publishes_controller.rb
index 2686c5ebd97f196f847ca22f6c30ed7e1a0adcaf..d836d19044578e11a2b824d61d8ceb89f1b01cfc 100644
--- a/app/controllers/v1/learning_objects/publishes_controller.rb
+++ b/app/controllers/v1/learning_objects/publishes_controller.rb
@@ -20,7 +20,7 @@ class V1::LearningObjects::PublishesController < ApplicationController
   end
 
   def authorize!
-    authorize(@learning_object || LearningObject.new, :update?)
+    authorize(@learning_object, :publish?)
   end
 
   # Never trust parameters from the scary internet, only allow the white list through.
diff --git a/app/policies/learning_object_policy.rb b/app/policies/learning_object_policy.rb
index 2eb063b8faf1a338c28fac3795cf8ebc057d6b47..70dd4d64f957066660dcbf48f3ad5c766f49c2f1 100644
--- a/app/policies/learning_object_policy.rb
+++ b/app/policies/learning_object_policy.rb
@@ -26,6 +26,10 @@ class LearningObjectPolicy < ApplicationPolicy
     record if owns?
   end
 
+  def publish?
+    record if user_can_curate? && record.submitted?
+  end
+
   def destroy?
     record if owns?
   end