diff --git a/app/policies/mapping_policy.rb b/app/policies/mapping_policy.rb
new file mode 100644
index 00000000..44e7bfd7
--- /dev/null
+++ b/app/policies/mapping_policy.rb
@@ -0,0 +1,31 @@
+class MappingPolicy < ApplicationPolicy
+  class Scope < Scope
+    def resolve
+      # TODO base this on the map policy
+      # it would be nice if we could also base this on the mappable, but that
+      # gets really complicated. Devin thinks it's OK to SHOW a mapping for
+      # a private topic, since you can't see the private topic anyways
+      scope.joins(:maps).where('maps.permission IN ("public", "commons") OR user_id = ?', user.id)
+    end
+  end
+
+  def show?
+    map = policy(record.map, user)
+    mappable = policy(record.mappable, user)
+    map.show? && mappable.show?
+  end
+
+  def create?
+    map = policy(record.map, user)
+    map.edit?
+  end
+
+  def update?
+    map = policy(record.map, user)
+    map.update?
+  end
+
+  def destroy?
+    record.user == user || admin_override
+  end
+end