diff --git a/app/controllers/platforms/platforms_controller.rb b/app/controllers/platforms/platforms_controller.rb
index 93925dba7..0404292e0 100644
--- a/app/controllers/platforms/platforms_controller.rb
+++ b/app/controllers/platforms/platforms_controller.rb
@@ -5,6 +5,7 @@ class Platforms::PlatformsController < Platforms::BaseController
   skip_before_action :authenticate_user!, only: [:advisories, :members, :show] if APP_CONFIG['anonymous_access']
 
   def index
+    authorize :platform
     respond_to do |format|
       format.html {}
 
@@ -17,22 +18,23 @@ class Platforms::PlatformsController < Platforms::BaseController
   end
 
   def show
-    authorize @platform = Platform.find_cached(params[:id])
   end
 
   def new
+    authorize @platform = Platform.new
     @admin_uname  = current_user.uname
     @admin_id     = current_user.id
-    @platform     = Platform.new
   end
 
   def edit
+    authorize @platform
     @admin_id = @platform.owner.id
     @admin_uname = @platform.owner.uname
   end
 
   def create
-    @admin_id = params[:admin_id]
+    authorize @platform = Platform.new(params[:platform])
+    @admin_id    = params[:admin_id]
     @admin_uname = params[:admin_uname]
     # FIXME: do not allow manipulate owner model, only platforms onwer_id and onwer_type
     @platform.owner = @admin_id.blank? ? get_owner : User.find(@admin_id)
@@ -47,6 +49,7 @@ class Platforms::PlatformsController < Platforms::BaseController
   end
 
   def update
+    authorize @platform
     @admin_id = params[:admin_id]
     @admin_uname = params[:admin_uname]
 
@@ -54,7 +57,6 @@ class Platforms::PlatformsController < Platforms::BaseController
     platform_params = platform_params.slice(:description, :platform_arch_settings_attributes, :released, :automatic_metadata_regeneration, :default_branch)
     platform_params[:owner] = User.find(@admin_id) if @admin_id.present?
 
-
     respond_to do |format|
       format.html do
         if @platform.update_attributes(platform_params)
@@ -76,6 +78,7 @@ class Platforms::PlatformsController < Platforms::BaseController
   end
 
   def regenerate_metadata
+    authorize @platform
     if @platform.regenerate
       flash[:notice] = I18n.t('flash.platform.saved')
     else
@@ -85,6 +88,7 @@ class Platforms::PlatformsController < Platforms::BaseController
   end
 
   def change_visibility
+    authorize @platform
     if @platform.change_visibility
       flash[:notice] = I18n.t("flash.platform.saved")
       redirect_to @platform
@@ -96,12 +100,14 @@ class Platforms::PlatformsController < Platforms::BaseController
   end
 
   def clone
+    authorize @platform
     @cloned = Platform.new
     @cloned.name = @platform.name + "_clone"
     @cloned.description = @platform.description + "_clone"
   end
 
   def make_clone
+    authorize @platform
     @cloned = @platform.full_clone params[:platform].merge(owner: current_user)
     if @cloned.persisted?
       flash[:notice] = I18n.t("flash.platform.clone_success")
@@ -113,16 +119,19 @@ class Platforms::PlatformsController < Platforms::BaseController
   end
 
   def destroy
+    authorize @platform
     @platform.destroy # later with resque
     flash[:notice] = t("flash.platform.destroyed")
     redirect_to platforms_path
   end
 
   def members
+    authorize @platform
     @members = @platform.members.order(:uname)
   end
 
   def remove_members
+    authorize @platform
     User.where(id: params[:members]).each do |user|
       @platform.remove_member(user)
     end
@@ -130,7 +139,8 @@ class Platforms::PlatformsController < Platforms::BaseController
   end
 
   def add_member
-    member = User.where(id: params[:member_id]).first
+    authorize @platform
+    member = User.find_by(id: params[:member_id])
     if !member
       flash[:error] = t("flash.collaborators.wrong_user", uname: params[:member_id])
     elsif @platform.add_member(member)
@@ -142,13 +152,22 @@ class Platforms::PlatformsController < Platforms::BaseController
   end
 
   def advisories
+    authorize @platform
     @advisories = @platform.advisories.paginate(page: params[:page])
   end
 
   def clear
+    authorize @platform
     @platform.clear
     flash[:notice] = t('flash.repository.clear')
     redirect_to edit_platform_path(@platform)
   end
 
+  private
+
+  # Private: before_action hook which loads Platform.
+  def load_platform
+    authorize @platform = Platform.find_cached(params[:id]), :show? if params[:id]
+  end
+
 end
diff --git a/app/controllers/platforms/repositories_controller.rb b/app/controllers/platforms/repositories_controller.rb
index 637d35798..faf5b707b 100644
--- a/app/controllers/platforms/repositories_controller.rb
+++ b/app/controllers/platforms/repositories_controller.rb
@@ -7,8 +7,6 @@ class Platforms::RepositoriesController < Platforms::BaseController
   before_action :authenticate_user!
   skip_before_action :authenticate_user!, only: [:index, :show, :projects_list] if APP_CONFIG['anonymous_access']
 
-  # load_and_authorize_resource :platform
-  # load_and_authorize_resource :repository, through: :platform, shallow: true
   before_action :set_members, only: [:edit, :update]
   before_action :load_repository
   before_action -> { @repository = @platform.repositories.find(params[:id]) if params[:id] }
@@ -23,9 +21,11 @@ class Platforms::RepositoriesController < Platforms::BaseController
   end
 
   def edit
+    authorize @repository
   end
 
   def update
+    authorize @repository
     if @repository.update_attributes params[:repository].slice(:description, :synchronizing_publications, :publish_builds_only_from_branch).merge(publish_without_qa: (params[:repository][:publish_without_qa] || @repository.publish_without_qa))
       flash[:notice] = I18n.t("flash.repository.updated")
       redirect_to platform_repository_path(@platform, @repository)
@@ -37,14 +37,16 @@ class Platforms::RepositoriesController < Platforms::BaseController
   end
 
   def remove_members
-    User.where(id: params[:members]).each do |user|
+    authorize @repository
+    User.where(id: params[:members]).find_each do |user|
       @repository.remove_member(user)
     end
     redirect_to edit_platform_repository_path(@platform, @repository)
   end
 
   def add_member
-    if member = User.where(id: params[:member_id]).first
+    authorize @repository
+    if member = User.find_by(id: params[:member_id])
       if @repository.add_member(member)
         flash[:notice] = t('flash.repository.members.successfully_added', name: member.uname)
       else
@@ -55,11 +57,12 @@ class Platforms::RepositoriesController < Platforms::BaseController
   end
 
   def new
-    @repository = Repository.new
+    authorize @repository = @platform.repositories.new
     @platform_id = params[:platform_id]
   end
 
   def destroy
+    authorize @repository
     @repository.destroy
 
     flash[:notice] = t("flash.repository.destroyed")
@@ -67,7 +70,7 @@ class Platforms::RepositoriesController < Platforms::BaseController
   end
 
   def create
-    @repository = @platform.repositories.build(params[:repository])
+    authorize @repository = @platform.repositories.build(params[:repository])
     if @repository.save
       flash[:notice] = t('flash.repository.saved')
       redirect_to platform_repository_path(@platform, @repository)
@@ -78,6 +81,7 @@ class Platforms::RepositoriesController < Platforms::BaseController
   end
 
   def add_project
+    authorize @repository
     if projects_list = params.try(:[], :repository).try(:[], :projects_list)
       @repository.add_projects projects_list, current_user
       redirect_to platform_repository_path(@platform, @repository), notice: t('flash.repository.projects_will_be_added')
@@ -102,6 +106,7 @@ class Platforms::RepositoriesController < Platforms::BaseController
   end
 
   def projects_list
+    authorize @repository
     render(text: @repository.projects.map(&:name).join("\n")) && return if params[:text] == 'true'
 
     owner_subquery = "
@@ -137,6 +142,7 @@ class Platforms::RepositoriesController < Platforms::BaseController
   end
 
   def remove_project
+    authorize @repository
     if projects_list = params.try(:[], :repository).try(:[], :projects_list)
       @repository.remove_projects projects_list
       redirect_to platform_repository_path(@platform, @repository), notice: t('flash.repository.projects_will_be_removed')
@@ -152,6 +158,7 @@ class Platforms::RepositoriesController < Platforms::BaseController
   end
 
   def regenerate_metadata
+    authorize @repository
     if @repository.regenerate(params[:repository].try :[], :build_for_platform_id)
       flash[:notice] = t('flash.repository.regenerate_in_queue')
     else
@@ -161,6 +168,7 @@ class Platforms::RepositoriesController < Platforms::BaseController
   end
 
   def sync_lock_file
+    authorize @repository
     if params[:remove]
       @repository.remove_sync_lock_file
       flash[:notice] = t('flash.repository.sync_lock_file_removed')
@@ -171,10 +179,11 @@ class Platforms::RepositoriesController < Platforms::BaseController
     redirect_to edit_platform_repository_path(@platform, @repository)
   end
 
-protected
+  protected
 
+  # Private: before_action hook which loads Repository.
   def load_repository
-    @repository = @platform.repositories.find(params[:id]) if params[:id]
+    authorize @repository = @platform.repositories.find(params[:id]), :show? if params[:id]
   end
 
   def set_members
diff --git a/app/policies/platform_policy.rb b/app/policies/platform_policy.rb
index c84a61beb..9843d7626 100644
--- a/app/policies/platform_policy.rb
+++ b/app/policies/platform_policy.rb
@@ -1,7 +1,7 @@
 class PlatformPolicy < ApplicationPolicy
 
   def index?
-    true
+    !user.guest?
   end
 
   def show?