user policy to allow profile edits

app/controllers/admin/profile_controller.rb

@@ -2,14 +2,17 @@
 module Admin
   class ProfileController < AdminController
     def view
+      authorize current_user
     end
 
     def edit
       @user = current_user
+      authorize @user
     end
 
     def update
       @user = current_user
+      authorize @user
 
       if @user.update_attributes(user_params)
         redirect_to admin_profile_path,

app/controllers/admin_controller.rb

@@ -4,8 +4,8 @@ class AdminController < ApplicationController
   layout 'admin'
   before_action :authorize_user
 
-  # TODO: after_action :verify_authorized, except: :index
-  # TODO: after_action :verify_policy_scoped, only: :index
+  # after_action :verify_authorized, except: :index
+  # after_action :verify_policy_scoped, only: :index
 
   rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
 

app/policies/user_policy.rb

@@ -3,9 +3,10 @@ class UserPolicy < ApplicationPolicy
   # User Access Policy
   #
   # Only Admins can view, create, or update, users
+  # All other users can only access themselves (profile interface)
 
   def view?
-    user.admin? && show?
+    user.admin? || user == record
   end
 
   def create?
@@ -13,7 +14,7 @@ class UserPolicy < ApplicationPolicy
   end
 
   def update?
-    user.admin?
+    user.admin? || user == record
   end
 
   class Scope < Scope