diff --git a/app/controllers/plans_controller.rb b/app/controllers/plans_controller.rb
index bc9b490..7b0daa6 100644
--- a/app/controllers/plans_controller.rb
+++ b/app/controllers/plans_controller.rb
@@ -5,8 +5,7 @@
 	# GET /plans/1/edit
 	def edit
 		@plan = Plan.find(params[:id])
-        
-       
+    authorize @plan
     if !user_signed_in? then
       respond_to do |format|
 				format.html { redirect_to edit_user_registration_path }
@@ -22,6 +21,7 @@
 	# PUT /plans/1.json
 	def update
 		@plan = Plan.find(params[:id])
+    authorize @plan
 		if user_signed_in? && @plan.editable_by(current_user.id) then
 			respond_to do |format|
 			if @plan.update_attributes(params[:plan])
@@ -29,7 +29,6 @@
 				format.json { head :no_content }
 			else
 				format.html { render action: "edit" }
-				format.json { render json: @plan.errors, status: :unprocessablne_entity }
 			end
 		end
     	else
@@ -37,9 +36,11 @@
     	end
   	end
 
-  	# GET /status/1.json
-	def status
+  # GET /status/1.json
+	# only returns json, why is this here?
+  def status
   		@plan = Plan.find(params[:id])
+      authorize @plan
   		if user_signed_in? && @plan.readable_by(current_user.id) then
 			respond_to do |format|
 				format.json { render json: @plan.status }
@@ -51,6 +52,7 @@
 
 	def section_answers
   		@plan = Plan.find(params[:id])
+      authorize @plan
   		if user_signed_in? && @plan.readable_by(current_user.id) then
 			respond_to do |format|
 				format.json { render json: @plan.section_answers(params[:section_id]) }
@@ -62,6 +64,7 @@
 
 	def locked
   		@plan = Plan.find(params[:id])
+      authorize @plan
   		if !@plan.nil? && user_signed_in? && @plan.readable_by(current_user.id) then
 			respond_to do |format|
 				format.json { render json: @plan.locked(params[:section_id],current_user.id) }
@@ -73,14 +76,13 @@
 
 	def delete_recent_locks
 		@plan = Plan.find(params[:id])
+    authorize @plan
 		if user_signed_in? && @plan.editable_by(current_user.id) then
 			respond_to do |format|
 				if @plan.delete_recent_locks(current_user.id)
 					format.html { render action: "edit" }
-					format.json { head :no_content }
 				else
 					format.html { render action: "edit" }
-					format.json { render json: @plan.errors, status: :unprocessable_entity }
 				end
 			end
 		else
@@ -90,14 +92,13 @@
 
 	def unlock_all_sections
 		@plan = Plan.find(params[:id])
+    authorize @plan
 		if user_signed_in? && @plan.editable_by(current_user.id) then
 			respond_to do |format|
 				if @plan.unlock_all_sections(current_user.id)
 					format.html { render action: "edit" }
-					format.json { head :no_content }
 				else
 					format.html { render action: "edit" }
-					format.json { render json: @plan.errors, status: :unprocessable_entity }
 				end
 			end
 		else
@@ -107,11 +108,11 @@
 
 	def lock_section
 		@plan = Plan.find(params[:id])
+    authorize @plan
 		if user_signed_in? && @plan.editable_by(current_user.id) then
 			respond_to do |format|
 				if @plan.lock_section(params[:section_id], current_user.id)
 					format.html { render action: "edit" }
-					format.json { head :no_content }
 				else
 					format.html { render action: "edit" }
 					format.json { render json: @plan.errors, status: :unprocessable_entity }
@@ -124,14 +125,14 @@
 
 	def unlock_section
 		@plan = Plan.find(params[:id])
+    authorize @plan
 		if user_signed_in? && @plan.editable_by(current_user.id) then
 			respond_to do |format|
 				if @plan.unlock_section(params[:section_id], current_user.id)
 					format.html { render action: "edit" }
-					format.json { head :no_content }
+
 				else
-					format.html { render action: "edit" }
-					format.json { render json: @plan.errors, status: :unprocessable_entity }
+					format.html { render action: "edit" }]
 				end
 			end
 		else
@@ -141,6 +142,7 @@
 
 	def answer
   		@plan = Plan.find(params[:id])
+      authorize @plan
   		if user_signed_in? && @plan.readable_by(current_user.id) then
 			respond_to do |format|
 				format.json { render json: @plan.answer(params[:q_id], false).to_json(:include => :options) }
@@ -152,6 +154,7 @@
 
 	def warning
   		@plan = Plan.find(params[:id])
+      authorize @plan
   		if user_signed_in? && @plan.readable_by(current_user.id) then
 			respond_to do |format|
 				format.json { render json: @plan.warning(params[:option_id]) }
@@ -163,6 +166,7 @@
 
 	def export
 		@plan = Plan.find(params[:id])
+    authorize @plan
 
 		if user_signed_in? && @plan.readable_by(current_user.id) then
 			@exported_plan = ExportedPlan.new.tap do |ep|
diff --git a/app/policies/plan_policy.rb b/app/policies/plan_policy.rb
new file mode 100644
index 0000000..2d4d08a
--- /dev/null
+++ b/app/policies/plan_policy.rb
@@ -0,0 +1,58 @@
+class PlanPolicy < ApplicationPolicy
+  attr_reader :user
+  attr_reader :plan
+
+  def initialize(user, plan)
+    raise Pundit::NotAuthorizedError, "must be logged in" unless user
+    @user = user
+    @plan = plan
+  end
+
+  def edit?
+    @plan.editable_by(@user.id)
+  end
+
+  def export?
+    @plan.readable_by(@user.id)
+  end
+
+  def update?
+    @plan.editable_by(@user.id)
+  end
+
+  def status?
+    @plan.readable_by(@user.id)
+  end
+
+  def section_answers?
+    @plan.readable_by(@user.id)
+  end
+
+  def locked?
+    @plan.readable_by(@user.id)
+  end
+
+  def delete_recent_locks?
+    @plan.editable_by(@user.id)
+  end
+
+  def unlock_all_sections?
+    @plan.editable_by(@user.id)
+  end
+
+  def lock_section?
+    @plan.editable_by(@user.id)
+  end
+
+  def unlock_section?
+    @plan.editable_by(@user.id)
+  end
+
+  def answer?
+    @plan.readable_by(@user.id)
+  end
+
+  def warning?
+    @plan.readable_by(@user.id)
+  end
+end
\ No newline at end of file