pundit: convert news updates to pundit.

app/controllers/news_updates_controller.rb

@@ -1,44 +1,39 @@
 class NewsUpdatesController < ApplicationController
-  before_action :admin_only
   respond_to :html
 
   def index
+    authorize NewsUpdate
     @news_updates = NewsUpdate.order("id desc").paginate(params[:page], :limit => params[:limit])
     respond_with(@news_updates)
   end
 
   def edit
-    @news_update = NewsUpdate.find(params[:id])
+    @news_update = authorize NewsUpdate.find(params[:id])
     respond_with(@news_update)
   end
 
   def update
-    @news_update = NewsUpdate.find(params[:id])
-    @news_update.update(news_update_params)
+    @news_update = authorize NewsUpdate.find(params[:id])
+    @news_update.update(permitted_attributes(@news_update))
     respond_with(@news_update, :location => news_updates_path)
   end
 
   def new
-    @news_update = NewsUpdate.new
+    @news_update = authorize NewsUpdate.new
     respond_with(@news_update)
   end
 
   def create
-    @news_update = NewsUpdate.create(news_update_params.merge(creator: CurrentUser.user))
+    @news_update = authorize NewsUpdate.new(creator: CurrentUser.user, **permitted_attributes(NewsUpdate))
+    @news_update.save
     respond_with(@news_update, :location => news_updates_path)
   end
 
   def destroy
-    @news_update = NewsUpdate.find(params[:id])
+    @news_update = authorize NewsUpdate.find(params[:id])
     @news_update.destroy
     respond_with(@news_update) do |format|
       format.js
     end
   end
-
-  private
-
-  def news_update_params
-    params.require(:news_update).permit([:message])
-  end
 end

app/policies/news_update_policy.rb

@@ -0,0 +1,17 @@
+class NewsUpdatePolicy < ApplicationPolicy
+  def index?
+    user.is_admin?
+  end
+
+  def create?
+    user.is_admin?
+  end
+
+  def update?
+    user.is_admin?
+  end
+
+  def permitted_attributes
+    [:message]
+  end
+end