rubyforgood · Copilot · Feb 9, 2026 · Feb 9, 2026 · Feb 9, 2026 · Feb 9, 2026
diff --git a/app/controllers/events_controller.rb b/app/controllers/events_controller.rb
@@ -24,9 +24,6 @@ def new
   def edit
     authorize! @event
     set_form_variables
-    unless @event.created_by == current_user || current_user&.super_user?
-      redirect_to events_path, alert: "You are not authorized to edit this event."
-    end
   end
 
   def create

diff --git a/app/controllers/monthly_reports_controller.rb b/app/controllers/monthly_reports_controller.rb
@@ -108,14 +108,8 @@ def show
     authorize! @monthly_report
     @answers      = @monthly_report.report_form_field_answers
 
-    if @monthly_report
-      if current_user&.super_user? || (@monthly_report.organization && current_user.organization_ids.include?(@monthly_report.organization.id))
-        render :show
-      else
-        redirect_to root_path, error: "You do not have permission to view this page."
-      end
-    else
-      redirect_to root_path, error: "Unable to find that Workshop Log."
+    unless @monthly_report
+      redirect_to root_path, error: "Unable to find that Monthly Report."
     end
   end
 

diff --git a/app/controllers/people_controller.rb b/app/controllers/people_controller.rb
@@ -97,11 +97,7 @@ def set_form_variables
     @all_sectors = Sector.published.order(:name)
     @current_sector_ids = @person.sectorable_items.pluck(:sector_id)
 
-    organizations = if current_user&.super_user?
-      Organization.active
-    else
-      current_user.organizations
-    end
+    organizations = authorized_scope(Organization.all)
     @organizations_array = organizations.order(:name).pluck(:name, :id)
   end
 

diff --git a/app/controllers/quotes_controller.rb b/app/controllers/quotes_controller.rb
@@ -58,7 +58,7 @@ def destroy
 
   # Optional hooks for setting variables for forms or index
   def set_form_variables
-    workshops = current_user&.super_user? ? Workshop.all : Workshop.active
+    workshops = authorized_scope(Workshop.all)
     @workshops = workshops.order(:title)
   end
 

diff --git a/app/controllers/workshop_logs_controller.rb b/app/controllers/workshop_logs_controller.rb
@@ -112,7 +112,7 @@ def set_index_variables # needs to not be private
       Arel.sql("DISTINCT EXTRACT(YEAR FROM COALESCE(date, created_at, NOW()))")
     ).sort.reverse
 
-    scoped_users = current_user&.super_user? ? User.active : User.where(id: current_user.id)
+    scoped_users = authorized_scope(User.active)
     @people = scoped_users.or(User.where(id: @workshop_logs_unpaginated.pluck(:user_id)))
                                 .includes(:workshop_logs, :person)
                                 .joins(:workshop_logs)
@@ -137,9 +137,7 @@ def set_form_variables
     end
 
     workshops = Workshop.includes(:windows_type)
-    unless current_user&.super_user?
-      workshops = workshops.published
-    end
+    workshops = authorized_scope(workshops)
     @workshops = workshops.or(Workshop.where(id: @workshop_log.workshop_id).includes(:windows_type))
                           .distinct
                           .order(title: :asc)

diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
@@ -1,4 +1,8 @@
 module ApplicationHelper
+  def current_user_admin?
+    current_user&.super_user?
+  end
+
   def search_page(params)
     params[:search] ? params[:search][:page] : 1
   end

diff --git a/app/policies/event_policy.rb b/app/policies/event_policy.rb
@@ -15,6 +15,17 @@ def register?
     authenticated? && record.published?
   end
 
+  def edit?
+    admin? || owner?
+  end
+
+  private
+
+  def owner?
+    return false unless authenticated?
+    record.created_by == user
+  end
+
   relation_scope do |relation|
     next relation if admin?
     if authenticated? # logged in users can see events they are registered for even if registration is closed

diff --git a/app/policies/organization_policy.rb b/app/policies/organization_policy.rb
@@ -13,7 +13,13 @@ def show?
   # See https://actionpolicy.evilmartians.io/#/scoping
 
   relation_scope do |relation|
-    next relation if admin?
-    relation.published
+    if admin?
+      relation.active
+    elsif authenticated?
+      # Non-admin users see organizations they belong to
+      relation.where(id: user.organization_ids)
+    else
+      relation.published
+    end
   end
 end
diff --git a/app/policies/report_policy.rb b/app/policies/report_policy.rb
@@ -8,7 +8,14 @@ def create?
   end
 
   def show?
-    admin? || owner?
+    admin? || owner? || belongs_to_organization?
+  end
+
+  private
+
+  def belongs_to_organization?
+    return false unless authenticated?
+    record.organization&.id && user.organization_ids.include?(record.organization.id)
   end
 
   relation_scope do |relation|

diff --git a/app/services/workshop_search_service.rb b/app/services/workshop_search_service.rb
@@ -1,11 +1,10 @@
 class WorkshopSearchService
-  attr_reader :params, :user, :admin
+  attr_reader :params, :user
   attr_accessor :workshops, :sort
 
   def initialize(params = {}, user: nil)
     @params = params
     @user = user
-    @admin = user&.super_user?
     @sort = default_sort
     @workshops =
       if @sort == "popularity"

diff --git a/app/views/admin/ahoy_activities/index.html.erb b/app/views/admin/ahoy_activities/index.html.erb
@@ -29,7 +29,7 @@
             </div>
 
             <!-- User Filter -->
-            <% if current_user&.super_user? %>
+            <% if current_user_admin? %>
               <div>
                 <label class="block text-sm font-medium text-gray-600 mb-1">
                   User

diff --git a/app/views/banners/show.html.erb b/app/views/banners/show.html.erb
@@ -11,7 +11,7 @@
         <div class="flex items-center gap-2">
           <%= link_to("Banners", banners_path, class: "btn btn-secondary-outline") %>
           <%= link_to "Dashboard", root_path, class: "btn btn-secondary-outline" %>
-          <% if current_user&.super_user? %>
+          <% if current_user_admin? %>
             <%= link_to("Edit", edit_banner_path(@banner), class: "btn btn-primary-outline") %>
           <% end %>
         </div>

diff --git a/app/views/categories/show.html.erb b/app/views/categories/show.html.erb
@@ -11,7 +11,7 @@
         <div class="flex items-center gap-2">
           <%= link_to("Categories", categories_path, class: "btn btn-secondary-outline") %>
           <%= link_to "Dashboard", root_path, class: "btn btn-secondary-outline" %>
-          <% if current_user&.super_user? %>
+          <% if current_user_admin? %>
             <%= link_to("Edit", edit_category_path(@category), class: "btn btn-primary-outline") %>
           <% end %>
         </div>

diff --git a/app/views/community_news/_community_news_results.html.erb b/app/views/community_news/_community_news_results.html.erb
@@ -31,7 +31,7 @@
 
               <!-- TITLE + BADGES -->
               <span class="inline-flex items-center gap-2">
-                <%= link_to title_with_badges(news, show_hidden_badge: current_user&.super_user?).html_safe,
+                <%= link_to title_with_badges(news, show_hidden_badge: current_user_admin?).html_safe,
                               community_news_path(news),
                               data: { turbo_prefetch: false, turbo_frame: "_top" },
                               target: news.external_link? ? "_blank" : "", rel: "noopener noreferrer",
@@ -47,7 +47,7 @@
 
             <td class="px-6 py-4 text-right">
               <div class="inline-flex gap-2">
-                <% if current_user&.super_user? %>
+                <% if allowed_to?(:edit?, news) %>
                   <%= link_to "Edit",
                                 edit_community_news_path(news),
                                 data: {turbo_frame: "_top"},
@@ -72,7 +72,7 @@
 <% else %>
   <div class="text-center py-16 bg-white rounded-xl border border-gray-200 shadow-sm">
     <h2 class="text-gray-600 text-lg mb-2">No community news yet</h2>
-    <% if current_user&.super_user? %>
+    <% if current_user_admin? %>
       <div class="admin-only bg-blue-100 p-3">
         <%= link_to "Create a community news",
                     new_community_news_path,

diff --git a/app/views/community_news/_search_boxes.html.erb b/app/views/community_news/_search_boxes.html.erb
@@ -26,7 +26,7 @@
                                  focus:ring-blue-500 focus:border-blue-500" %>
     </div>
 
-    <% if current_user&.super_user? %>
+    <% if current_user_admin? %>
       <!-- PUBLISHED -->
       <div class="min-w-[150px] admin-only bg-blue-100 p-2 rounded-md">
         <label for="published" class="block text-xs font-semibold uppercase text-gray-600 tracking-wide mb-1">

diff --git a/app/views/community_news/index.html.erb b/app/views/community_news/index.html.erb
@@ -6,7 +6,7 @@
       </div>
 
       <div class="text-right text-end">
-        <% if current_user&.super_user? %>
+        <% if current_user_admin? %>
           <%= link_to "New community news",
                       new_community_news_path,
                       class: "admin-only bg-blue-100 btn btn-primary-outline" %>

diff --git a/app/views/community_news/show.html.erb b/app/views/community_news/show.html.erb
@@ -9,7 +9,7 @@
         <%= link_to "Dashboard", root_path, class: "btn btn-secondary-outline" %>
         <%= link_to "External URL", safe_url(@community_news.reference_url), target: "_blank", rel: "noopener noreferrer",
                     class: "btn btn-secondary-outline" if @community_news.reference_url.present? %>
-        <% if current_user&.super_user? %>
+        <% if allowed_to?(:edit?, @community_news) %>
           <%= link_to "Edit", edit_community_news_path(@community_news),
                       class: "btn btn-secondary-outline admin-only bg-blue-100" %>
         <% end %>

diff --git a/app/views/event_registrations/index.html.erb b/app/views/event_registrations/index.html.erb
@@ -9,7 +9,7 @@
               <%= EventRegistration.model_name.human.pluralize %> (<%= @event_registrations_count %>)
             </h1>
             <div class="flex gap-2">
-              <% if current_user&.super_user? %>
+              <% if current_user_admin? %>
                 <%= link_to "New #{EventRegistration.model_name.human.downcase}",
                             new_event_registration_path,
                             class: "admin-only bg-blue-100 btn btn-primary-outline" %>

diff --git a/app/views/events/_card.html.erb b/app/views/events/_card.html.erb
@@ -23,7 +23,7 @@
       <%= link_to event_path(event),
                   class: "hover:underline block leading-tight",
                   data: { turbo_prefetch: false, turbo: false } do %>
-        <%= title_with_badges(event, show_hidden_badge: current_user&.super_user?).html_safe %>
+        <%= title_with_badges(event, show_hidden_badge: current_user_admin?).html_safe %>
       <% end %>
     </div>
   </div>

diff --git a/app/views/faqs/_faq.html.erb b/app/views/faqs/_faq.html.erb
@@ -8,7 +8,7 @@
   <div class="border-b border-gray-300">
     <div class="flex items-center w-full">
 
-      <% if current_user&.super_user? %>
+      <% if current_user_admin? %>
         <span class="admin-only bg-blue-100">
           <i
             class="fa-solid fa-sort cursor-move self-center pr-2"
@@ -66,7 +66,7 @@
           <%= faq.question %></span>
       <% end %>
 
-      <% if current_user&.super_user? %>
+      <% if current_user_admin? %>
         <div class="flex flex-col mx-3 ">
           <span class="admin-only bg-blue-100">
             <%= link_to faq,
@@ -127,7 +127,7 @@
     <strong class="sr-only">Answer:</strong>
 
     <%= render "inline_edit", model: faq, attribute: :answer, frame_class: "flex flex-col" do %>
-      <% if current_user&.super_user? %>
+      <% if current_user_admin? %>
         <%= link_to("Edit", edit_faq_path(faq), class: "btn btn-secondary-outline self-end admin-only bg-blue-100") %>
 
       <% end %>

diff --git a/app/views/faqs/_search_boxes.html.erb b/app/views/faqs/_search_boxes.html.erb
@@ -18,7 +18,7 @@
       </div>
     </div>
 
-    <% if current_user&.super_user? %>
+    <% if current_user_admin? %>
       <!-- Inactive -->
       <div class="admin-only bg-blue-100">
         <div class="w-full md:w-48 mb-3 md:mb-0">

diff --git a/app/views/faqs/index.html.erb b/app/views/faqs/index.html.erb
@@ -8,7 +8,7 @@
       </div>
 
       <div class="text-right text-end">
-        <% if current_user&.super_user? %>
+        <% if current_user_admin? %>
           <%= link_to "New FAQ",
                       new_faq_path,
                       class: "admin-only bg-blue-100 btn btn-primary-outline" %>

diff --git a/app/views/faqs/show.html.erb b/app/views/faqs/show.html.erb
@@ -14,7 +14,7 @@
         <div class="flex items-center gap-2">
           <%= link_to("FAQs", faqs_path, class: "btn btn-secondary-outline") %>
           <%= link_to "Dashboard", root_path, class: "btn btn-secondary-outline" %>
-          <% if current_user&.super_user? %>
+          <% if current_user_admin? %>
             <%= link_to("Edit", edit_faq_path(@faq), class: "btn btn-primary-outline") %>
           <% end %>
         </div>

diff --git a/app/views/monthly_reports/show.html.erb b/app/views/monthly_reports/show.html.erb
@@ -14,7 +14,7 @@
 
         <div class="flex gap-2">
           <%= link_to "Back to Monthly Reports", monthly_reports_path, class: "btn btn-secondary-outline" %>
-          <% if current_user&.super_user? || @monthly_report.user == current_user %>
+          <% if current_user_admin? || @monthly_report.user == current_user %>
             <%= link_to "Edit Log", edit_monthly_report_path(@monthly_report), class: "btn btn-primary-outline" %>
           <% end %>
         </div>

diff --git a/app/views/notifications/_notifications_results.html.erb b/app/views/notifications/_notifications_results.html.erb
@@ -10,7 +10,7 @@
 <% else %>
   <div class="text-center py-16 bg-white rounded-xl border border-gray-200 shadow-sm">
     <h2 class="text-gray-600 text-lg mb-2">No notifications yet</h2>
-    <% if current_user&.super_user? %>
+    <% if current_user_admin? %>
       <div class="admin-only bg-blue-100 p-3">
         <%= link_to "Create a notification",
                     new_notification_path,

diff --git a/app/views/organization_statuses/show.html.erb b/app/views/organization_statuses/show.html.erb
@@ -11,7 +11,7 @@
         <div class="flex items-center gap-2">
           <%= link_to("OrganizationStatuses", organization_statuses_path, class: "btn btn-secondary-outline") %>
           <%= link_to "Dashboard", root_path, class: "btn btn-secondary-outline" %>
-          <% if current_user&.super_user? %>
+          <% if current_user_admin? %>
             <%= link_to("Edit", edit_organization_status_path(@organization_status), class: "btn btn-primary-outline") %>
           <% end %>
         </div>

diff --git a/app/views/organizations/_form.html.erb b/app/views/organizations/_form.html.erb
@@ -110,7 +110,7 @@
                         class: "rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring focus:ring-blue-200"
                       } %>
 
-    <% if current_user&.super_user? %>
+    <% if current_user_admin? %>
       <div class="admin-only bg-blue-100">
         <%= f.input :organization_status_id,
                     as: :select,
@@ -132,7 +132,7 @@
 
   <!-- WINDOWS / STATUS / START / END -->
   <div class="grid grid-cols-1 md:grid-cols-4 gap-4 mb-6">
-    <% if current_user&.super_user? %>
+    <% if current_user_admin? %>
       <div class="admin-only bg-blue-100">
         <%= f.input :start_date,
                     label: "Affiliation start date",
@@ -175,7 +175,7 @@
                 input_html: {
                   class: "rounded-md border-gray-300 shadow-sm focus:ring-blue-500 focus:border-blue-500"
                 } %>
-    <% if current_user&.super_user? %>
+    <% if current_user_admin? %>
       <div class="admin-only bg-blue-100">
         <%= f.input :internal_id,
                     label: "Internal Organization ID",
@@ -203,7 +203,7 @@
                 } %>
   </div>
 
-  <% if current_user&.super_user? %>
+  <% if current_user_admin? %>
     <div class="admin-only bg-blue-100">
       <div class="mb-6">
         <%= f.input :notes,
@@ -244,7 +244,7 @@
       Person affiliations
     </div>
     <div class="rounded-lg border border-gray-200 bg-gray-50 p-4 mb-4 shadow-sm">
-      <% if current_user&.super_user? %>
+      <% if current_user_admin? %>
         <div class="admin-only bg-blue-100 p-3">
           <%= f.fields_for :organization_users do |organization_user_form| %>
             <%= render "organization_user_fields",

diff --git a/app/views/organizations/_organization_user_fields.html.erb b/app/views/organizations/_organization_user_fields.html.erb
@@ -1,4 +1,4 @@
-<% if current_user&.super_user? %>
+<% if current_user_admin? %>
   <div class="grid grid-cols-1 md:grid-cols-4 gap-4 items-start mb-4">
 
     <div>

diff --git a/app/views/organizations/_search_boxes.html.erb b/app/views/organizations/_search_boxes.html.erb
@@ -25,7 +25,7 @@
                          onkeypress: "if(event.key === 'Enter'){ this.form.requestSubmit(); }" %>
     </div>
 
-    <% if current_user&.super_user? %>
+    <% if current_user_admin? %>
       <div class="admin-only bg-blue-100">
         <%= label_tag :status, "Status", class: "text-sm font-medium text-gray-700 mb-1 block" %>
         <%= select_tag :organization_status,

diff --git a/app/views/organizations/index.html.erb b/app/views/organizations/index.html.erb
@@ -6,7 +6,7 @@
         <h1 class="text-2xl font-semibold text-gray-900">
           Organizations (<%= number_with_delimiter(@organizations_count) %>)
         </h1>
-        <% if current_user&.super_user? %>
+        <% if current_user_admin? %>
           <%= link_to "New Organization",
                       new_organization_path,
                       class: "admin-only bg-blue-100 btn btn-primary-outline" %>
@@ -95,7 +95,7 @@
               </td>
 
               <td class="px-4 py-2 text-center whitespace-nowrap">
-                <% if current_user&.super_user? %>
+                <% if allowed_to?(:edit?, organization) %>
                   <%= link_to "Edit", edit_organization_path(organization),
                               class: "admin-only bg-blue-100 btn btn-secondary-outline text-xs px-2 py-1" %>
                 <% end %>