diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index d83690e..3ea39cf 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -2,4 +2,8 @@ class ApplicationController < ActionController::Base
   # Prevent CSRF attacks by raising an exception.
   # For APIs, you may want to use :null_session instead.
   protect_from_forgery with: :exception
+
+  rescue_from CanCan::AccessDenied do |exception|
+    redirect_to root_url, alert: exception.message
+  end
 end
diff --git a/app/models/ability.rb b/app/models/ability.rb
new file mode 100644
index 0000000..f04be4f
--- /dev/null
+++ b/app/models/ability.rb
@@ -0,0 +1,13 @@
+class Ability
+  include CanCan::Ability
+
+  def initialize(user)
+    user ||= User.new # guest user (not logged in)
+
+    if user.penning?
+      can :manage, :all
+    else
+      can :read, user, id: user.id
+    end
+  end
+end