diff --git a/app/policies/favorite_policy.rb b/app/policies/favorite_policy.rb
index b604f1ea1..29784ceb7 100644
--- a/app/policies/favorite_policy.rb
+++ b/app/policies/favorite_policy.rb
@@ -1,6 +1,6 @@
 class FavoritePolicy < ApplicationPolicy
   def create?
-    !user.is_anonymous?
+    unbanned? && user.is_member?
   end
 
   def destroy?
diff --git a/app/policies/post_vote_policy.rb b/app/policies/post_vote_policy.rb
index 279e10d5c..730cbe46c 100644
--- a/app/policies/post_vote_policy.rb
+++ b/app/policies/post_vote_policy.rb
@@ -1,6 +1,6 @@
 class PostVotePolicy < ApplicationPolicy
   def create?
-    unbanned? && user.is_gold?
+    unbanned? && user.is_member?
   end
 
   def destroy?
diff --git a/test/factories/user.rb b/test/factories/user.rb
index dc6cf0942..a9bbe1c77 100644
--- a/test/factories/user.rb
+++ b/test/factories/user.rb
@@ -8,6 +8,7 @@ FactoryBot.define do
     factory(:banned_user) do
       transient { ban_duration {3} }
       is_banned {true}
+      active_ban factory: :ban
     end
 
     factory(:restricted_user) do
diff --git a/test/functional/favorites_controller_test.rb b/test/functional/favorites_controller_test.rb
index 61e94cffe..f714e8393 100644
--- a/test/functional/favorites_controller_test.rb
+++ b/test/functional/favorites_controller_test.rb
@@ -48,12 +48,21 @@ class FavoritesControllerTest < ActionDispatch::IntegrationTest
         end
       end
 
-      should "allow banned users to create favorites" do
+      should "not allow banned users to create favorites" do
         @banned_user = create(:banned_user)
 
-        assert_difference [-> { @post.favorites.count }, -> { @post.reload.fav_count }, -> { @banned_user.reload.favorite_count }], 1 do
+        assert_difference [-> { @post.favorites.count }, -> { @post.reload.fav_count }, -> { @banned_user.reload.favorite_count }], 0 do
           post_auth favorites_path(post_id: @post.id), @banned_user, as: :javascript
-          assert_response :redirect
+          assert_response 403
+        end
+      end
+
+      should "not allow restricted users to create favorites" do
+        @restricted_user = create(:restricted_user)
+
+        assert_difference [-> { @post.favorites.count }, -> { @post.reload.fav_count }, -> { @restricted_user.reload.favorite_count }], 0 do
+          post_auth favorites_path(post_id: @post.id), @restricted_user, as: :javascript
+          assert_response 403
         end
       end
 
diff --git a/test/functional/post_votes_controller_test.rb b/test/functional/post_votes_controller_test.rb
index 43687de23..d329cda62 100644
--- a/test/functional/post_votes_controller_test.rb
+++ b/test/functional/post_votes_controller_test.rb
@@ -185,13 +185,20 @@ class PostVotesControllerTest < ActionDispatch::IntegrationTest
         assert_equal(0, @post.reload.score)
       end
 
-      should "not allow members to vote" do
-        post_auth post_post_votes_path(post_id: @post.id), create(:user), params: { score: 1, format: "js" }
+      should "not allow restricted users to vote" do
+        post_auth post_post_votes_path(post_id: @post.id), create(:restricted_user), params: { score: 1, format: "js"}
 
         assert_response 403
         assert_equal(0, @post.reload.score)
       end
 
+      should "allow members to vote" do
+        post_auth post_post_votes_path(post_id: @post.id), create(:user), params: { score: 1, format: "js" }
+
+        assert_response :success
+        assert_equal(1, @post.reload.score)
+      end
+
       should "not allow invalid scores" do
         post_auth post_post_votes_path(post_id: @post.id), @user, params: { score: 3, format: "js" }