Adding learning object policy

app/controllers/learning_objects_controller.rb

@@ -12,11 +12,11 @@ class LearningObjectsController < ApplicationController
                                              :collections, :upload, :upload_link, :download,
                                              :user_not_authorized]
   after_action :increment_learning_object_views, only: [:show]
+  before_action :authorize_action
 
   # GET /learning_objects/1
   # GET /learning_objects/1.json
   def show
-    authorize @learning_object
     @liked = !@learning_object.liked?(current_user) if user_signed_in?
     @reviews = Review.where(reviewable: @learning_object)
   end
@@ -135,4 +135,9 @@ class LearningObjectsController < ApplicationController
     redirect_to (root_path)
   end
 
+  def authorize_action
+    @learning_object ||= LearningObject.new
+    authorize @learning_object
+  end
+
 end

app/policies/learning_object_policy.rb

@@ -11,6 +11,18 @@ class LearningObjectPolicy < ApplicationPolicy
     end
   end
 
+  def create?
+    record unless user.nil?
+  end
+
+  def update?
+    record if user_authorized?
+  end
+
+  def destroy?
+    record if user_authorized?
+  end
+
   def show?
     if user.nil?
       record.state == 'published'
@@ -20,4 +32,17 @@ class LearningObjectPolicy < ApplicationPolicy
       record.state == 'published'
     end
   end
+
+  private
+
+  def user_authorized?
+    return false if user.nil?
+    return true if user.is_admin?
+
+    if record.publisher.is_a? Institution
+      record.publisher.users.include? user
+    else
+      record.publisher == user
+    end
+  end
 end