diff --git a/app/controllers/favorites_controller.rb b/app/controllers/favorites_controller.rb
index e5338baa3..ba293bb95 100644
--- a/app/controllers/favorites_controller.rb
+++ b/app/controllers/favorites_controller.rb
@@ -1,10 +1,10 @@
 class FavoritesController < ApplicationController
-  before_action :member_only, except: [:index]
   respond_to :html, :xml, :json, :js
   skip_before_action :api_check
   rescue_with Favorite::Error, status: 422
 
   def index
+    authorize Favorite
     if !request.format.html?
       @favorites = Favorite.visible(CurrentUser.user).paginated_search(params)
       respond_with(@favorites)
@@ -19,6 +19,7 @@ class FavoritesController < ApplicationController
   end
 
   def create
+    authorize Favorite
     @post = Post.find(params[:post_id])
     @post.add_favorite!(CurrentUser.user)
     flash.now[:notice] = "You have favorited this post"
@@ -27,6 +28,7 @@ class FavoritesController < ApplicationController
   end
 
   def destroy
+    authorize Favorite
     @post = Post.find_by_id(params[:id])
 
     if @post
diff --git a/app/policies/favorite_policy.rb b/app/policies/favorite_policy.rb
new file mode 100644
index 000000000..d10be727e
--- /dev/null
+++ b/app/policies/favorite_policy.rb
@@ -0,0 +1,9 @@
+class FavoritePolicy < ApplicationPolicy
+  def create?
+    user.is_member?
+  end
+
+  def destroy?
+    user.is_member?
+  end
+end
diff --git a/app/views/posts/show.html.erb b/app/views/posts/show.html.erb
index f3d95a83d..71a60c601 100644
--- a/app/views/posts/show.html.erb
+++ b/app/views/posts/show.html.erb
@@ -56,7 +56,7 @@
     <%= render "posts/partials/show/embedded", post: @post %>
   <% end -%>
 
-  <% if CurrentUser.is_member? %>
+  <% if policy(Favorite).create? %>
     <%= content_tag(:div, class: "fav-buttons fav-buttons-#{@post.is_favorited?}") do %>
       <%= form_tag(favorites_path(post_id: @post.id), method: "post", id: "add-fav-button", "data-remote": true) do %>
         <%= button_tag tag.i(class: "far fa-heart"), class: "ui-button ui-widget ui-corner-all", "data-disable-with": tag.i(class: "fas fa-spinner fa-spin") %>
diff --git a/test/functional/favorites_controller_test.rb b/test/functional/favorites_controller_test.rb
index feef446bf..00f7b339c 100644
--- a/test/functional/favorites_controller_test.rb
+++ b/test/functional/favorites_controller_test.rb
@@ -4,51 +4,56 @@ class FavoritesControllerTest < ActionDispatch::IntegrationTest
   context "The favorites controller" do
     setup do
       @user = create(:user)
+      @post = create(:post)
+      @faved_post = create(:post)
+      @faved_post.add_favorite!(@user)
     end
 
     context "index action" do
-      setup do
-        @post = create(:post)
-        @post.add_favorite!(@user)
-      end
-
       should "redirect the user_id param to an ordfav: search" do
         get favorites_path(user_id: @user.id)
-        assert_redirected_to posts_path(tags: "ordfav:#{@user.name}")
+        assert_redirected_to posts_path(tags: "ordfav:#{@user.name}", format: "html")
       end
 
       should "redirect members to an ordfav: search" do
         get_auth favorites_path, @user
-        assert_redirected_to posts_path(tags: "ordfav:#{@user.name}")
+        assert_redirected_to posts_path(tags: "ordfav:#{@user.name}", format: "html")
       end
 
       should "redirect anonymous users to the posts index" do
         get favorites_path
-        assert_redirected_to posts_path
+        assert_redirected_to posts_path(format: "html")
       end
     end
 
     context "create action" do
-      setup do
-        @post = create(:post)
-      end
-
       should "create a favorite for the current user" do
         assert_difference("Favorite.count", 1) do
-          post_auth favorites_path, @user, params: {:format => "js", :post_id => @post.id}
+          post_auth favorites_path(post_id: @post.id), @user, as: :javascript
+          assert_response :redirect
+        end
+      end
+
+      should "allow banned users to create favorites" do
+        assert_difference("Favorite.count", 1) do
+          post_auth favorites_path(post_id: @post.id), create(:banned_user), as: :javascript
+          assert_response :redirect
         end
       end
     end
 
     context "destroy action" do
-      setup do
-        @post = create(:post)
-        @post.add_favorite!(@user)
-      end
-
       should "remove the favorite from the current user" do
         assert_difference("Favorite.count", -1) do
-          delete_auth favorite_path(@post.id), @user, params: {:format => "js"}
+          delete_auth favorite_path(@faved_post.id), @user, as: :javascript
+          assert_response :redirect
+        end
+      end
+
+      should "allow banned users to destroy favorites" do
+        assert_difference("Favorite.count", -1) do
+          delete_auth favorite_path(@faved_post.id), @user, as: :javascript
+          assert_response :redirect
         end
       end
     end