pundit: convert favorites to pundit.

app/controllers/favorites_controller.rb

@@ -1,10 +1,10 @@
 class FavoritesController < ApplicationController
-  before_action :member_only, except: [:index]
   respond_to :html, :xml, :json, :js
   skip_before_action :api_check
   rescue_with Favorite::Error, status: 422
 
   def index
+    authorize Favorite
     if !request.format.html?
       @favorites = Favorite.visible(CurrentUser.user).paginated_search(params)
       respond_with(@favorites)
@@ -19,6 +19,7 @@ class FavoritesController < ApplicationController
   end
 
   def create
+    authorize Favorite
     @post = Post.find(params[:post_id])
     @post.add_favorite!(CurrentUser.user)
     flash.now[:notice] = "You have favorited this post"
@@ -27,6 +28,7 @@ class FavoritesController < ApplicationController
   end
 
   def destroy
+    authorize Favorite
     @post = Post.find_by_id(params[:id])
 
     if @post

app/policies/favorite_policy.rb

@@ -0,0 +1,9 @@
+class FavoritePolicy < ApplicationPolicy
+  def create?
+    user.is_member?
+  end
+
+  def destroy?
+    user.is_member?
+  end
+end

app/views/posts/show.html.erb

@@ -56,7 +56,7 @@
     <%= render "posts/partials/show/embedded", post: @post %>
   <% end -%>
 
-  <% if CurrentUser.is_member? %>
+  <% if policy(Favorite).create? %>
     <%= content_tag(:div, class: "fav-buttons fav-buttons-#{@post.is_favorited?}") do %>
       <%= form_tag(favorites_path(post_id: @post.id), method: "post", id: "add-fav-button", "data-remote": true) do %>
         <%= button_tag tag.i(class: "far fa-heart"), class: "ui-button ui-widget ui-corner-all", "data-disable-with": tag.i(class: "fas fa-spinner fa-spin") %>