diff --git a/app/controllers/messages_controller.rb b/app/controllers/messages_controller.rb
index e47f9e38..386919f3 100644
--- a/app/controllers/messages_controller.rb
+++ b/app/controllers/messages_controller.rb
@@ -1,10 +1,12 @@
 class MessagesController < ApplicationController
 
-  before_filter :require_user, except: [:show]
+  before_action :require_user, except: [:show]
+  after_action :verify_authorized
 
   # GET /messages/1.json
   def show
     @message = Message.find(params[:id])
+    authorize @message
 
     respond_to do |format|
       format.json { render json: @message }
@@ -15,8 +17,8 @@ class MessagesController < ApplicationController
   # POST /messages.json
   def create
     @message = Message.new(message_params)
-
     @message.user = current_user
+    authorize @message
 
     respond_to do |format|
       if @message.save
@@ -31,6 +33,7 @@ class MessagesController < ApplicationController
   # PUT /messages/1.json
   def update
     @message = Message.find(params[:id])
+    authorize @message
 
     respond_to do |format|
       if @message.update_attributes(message_params)
@@ -45,6 +48,8 @@ class MessagesController < ApplicationController
   # DELETE /messages/1.json
   def destroy
     @message = Message.find(params[:id])
+    authorize @message
+
     @message.destroy
 
     respond_to do |format|
diff --git a/app/models/message.rb b/app/models/message.rb
index ca9d8553..0481192f 100644
--- a/app/models/message.rb
+++ b/app/models/message.rb
@@ -16,39 +16,4 @@ class Message < ActiveRecord::Base
     json
   end
 
-  ##### PERMISSIONS ######
-  
-  def authorize_to_delete(user)
-    if (self.user != user)
-      return false
-    end
-    return self
-  end
-
-  # returns false if user not allowed to 'show' Topic, Synapse, or Map
-  def authorize_to_show(user)
-    if (self.resource && self.resource.permission == "private" && self.resource.user != user)
-  		return false
-  	end
-  	return self
-  end
-  
-  # returns false if user not allowed to 'edit' Topic, Synapse, or Map
-  def authorize_to_edit(user)  
-  	if !user
-      return false
-    elsif (self.user != user)
-  		return false
-  	end
-  	return self
-  end
-  
-  # returns Boolean if user allowed to view Topic, Synapse, or Map
-  def authorize_to_view(user)  
-  	if (self.resource && self.resource.permission == "private" && self.resource.user != user)
-  		return false
-  	end
-  	return true
-  end
-
 end
diff --git a/app/policies/message_policy.rb b/app/policies/message_policy.rb
new file mode 100644
index 00000000..af2efb0c
--- /dev/null
+++ b/app/policies/message_policy.rb
@@ -0,0 +1,36 @@
+class MessagePolicy < ApplicationPolicy
+  class Scope < Scope
+    def resolve
+      visible = ['public', 'commons']
+      permission = 'maps.permission IN (?)'
+      if user
+        scope.joins(:maps).where(permission + ' OR maps.user_id = ?', visible, user.id)
+      else
+        scope.where(permission, visible)
+      end 
+    end
+  end
+
+  def show?
+    resource_policy.show?
+  end
+
+  def create?
+    record.resource.present? && resource_policy.update?
+  end
+
+  def update?
+    record.user == user
+  end
+
+  def destroy?
+    record.user == user || admin_override
+  end
+
+  # Helpers
+
+  def resource_policy
+    @resource_policy ||= Pundit.policy(user, record.resource)
+  end
+
+end