Only admins of org could access to /petitions/manage

app/controllers/petitions_controller.rb

@@ -18,6 +18,8 @@ def create
 
   def update
     petition = Petition.find params[:id]
+    authorize petition
+
     status = params[:status]
 
     if petition.update(status: status)
@@ -31,6 +33,8 @@ def update
   end
 
   def manage
+    authorize Petition
+
     @status = params[:status] || Petition::DEFAULT_STATUS
     @users = User.joins(:petitions).where(petitions: { organization_id: current_organization.id, status: @status }).page(params[:page]).per(20)
   end

app/policies/petition_policy.rb

@@ -0,0 +1,11 @@
+class PetitionPolicy < ApplicationPolicy
+  alias_method :petition, :record
+
+  def update?
+    user&.superadmin? || user&.admins?(petition.organization)
+  end
+
+  def manage?
+    user&.superadmin? || user&.admins?(organization)
+  end
+end

spec/controllers/petitions_controller_spec.rb

@@ -2,6 +2,7 @@
   let!(:organization) { Fabricate(:organization) }
   let(:user) { Fabricate(:user) }
   let!(:admin) { Fabricate(:member, organization: organization, manager: true) }
+  let!(:non_admin) { Fabricate(:member, organization: organization, manager: false) }
 
   describe 'POST #create' do
     before { login(user) }
@@ -40,14 +41,24 @@
   describe 'GET #manage' do
     before do
       allow(controller).to receive(:current_organization) { organization }
-      login(admin.user)
     end
     let!(:petition) { Petition.create(user: user, organization: organization) }
 
-    it 'populates a list of users with pending petitions' do
+    it 'as an admin: populates a list of users with pending petitions' do
+      login(admin.user)
+
       get :manage
 
       expect(assigns(:users)).to include(user)
     end
+
+    it 'as non-admin: not authorized' do
+      login(non_admin.user)
+
+      get :manage
+
+      expect(response).to redirect_to(root_path)
+      expect(flash[:error]).to eq('You are not authorized to perform this action.')
+    end
   end
 end