diff --git a/app/controllers/post_approvals_controller.rb b/app/controllers/post_approvals_controller.rb
index 79fbce004..045678935 100644
--- a/app/controllers/post_approvals_controller.rb
+++ b/app/controllers/post_approvals_controller.rb
@@ -1,15 +1,14 @@
 class PostApprovalsController < ApplicationController
-  before_action :approver_only, only: [:create]
   respond_to :html, :xml, :json, :js
 
   def create
-    post = Post.find(params[:post_id])
-    @approval = post.approve!
+    @approval = authorize PostApproval.new(user: CurrentUser.user, post_id: params[:post_id])
+    @approval.save
     respond_with(@approval)
   end
 
   def index
-    @post_approvals = PostApproval.paginated_search(params)
+    @post_approvals = authorize PostApproval.paginated_search(params)
     @post_approvals = @post_approvals.includes(:user, post: :uploader) if request.format.html?
 
     respond_with(@post_approvals)
diff --git a/app/policies/post_approval_policy.rb b/app/policies/post_approval_policy.rb
new file mode 100644
index 000000000..de762f9d1
--- /dev/null
+++ b/app/policies/post_approval_policy.rb
@@ -0,0 +1,5 @@
+class PostApprovalPolicy < ApplicationPolicy
+  def create?
+    user.is_approver?
+  end
+end
diff --git a/test/functional/post_approvals_controller_test.rb b/test/functional/post_approvals_controller_test.rb
index 0108c6317..e4b93c65f 100644
--- a/test/functional/post_approvals_controller_test.rb
+++ b/test/functional/post_approvals_controller_test.rb
@@ -26,6 +26,14 @@ class PostApprovalsControllerTest < ActionDispatch::IntegrationTest
           assert(!@post.reload.is_deleted?)
         end
       end
+
+      should "not allow non-approvers to approve posts" do
+        @post = create(:post, is_pending: true)
+        post_auth post_approvals_path(post_id: @post.id, format: :js), create(:user)
+
+        assert_response 403
+        assert_equal(true, @post.reload.is_pending?)
+      end
     end
 
     context "index action" do