Install Pundit and add UserPolicy

app/controllers/application_controller.rb

@@ -1,8 +1,14 @@
 class ApplicationController < ActionController::Base
   include Authentication
+  include Pundit::Authorization
+
+  before_action :set_title, :set_current_user
+  # TODO: add later
+  # after_action :verify_authorized
+
   # Only allow modern browsers supporting webp images, web push, badges, import maps, CSS nesting, and CSS :has.
   allow_browser versions: :modern
-  before_action :set_title, :set_current_user
+  rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
   layout "authenticated"
 
   private
@@ -14,4 +20,11 @@ class ApplicationController < ActionController::Base
   def set_current_user
     @current_user = current_user
   end
+
+  def user_not_authorized(exception)
+    policy_name = exception.policy.class.to_s.underscore
+
+    flash[:error] = t "#{policy_name}.#{exception.query}", scope: "pundit", default: :default
+    redirect_back_or_to(root_path)
+  end
 end

app/controllers/users_controller.rb

@@ -2,15 +2,21 @@ class UsersController < ApplicationController
   before_action :set_user, only: %i[ destroy edit show update ]
 
   def index
+    authorize :user
+
     @title = "All users"
     @users = User.all
   end
 
   def edit
+    authorize @user
+
     @title = "My settings"
   end
 
   def update
+    authorize @user
+
     if @user.update(user_params)
       redirect_to contests_path
     else
@@ -19,15 +25,21 @@ class UsersController < ApplicationController
   end
 
   def show
+    authorize @user
+
     redirect_to edit_user_path(@user)
   end
 
   def new
+    authorize :user
+
     @title = "New user"
     @user = User.new()
   end
 
   def create
+    authorize :user
+
     @user = User.new(user_params)
     if @user.save
       redirect_to users_path
@@ -38,6 +50,7 @@ class UsersController < ApplicationController
   end
 
   def destroy
+    authorize @user
   end
 
   private