diff --git a/Gemfile b/Gemfile
index 96d4c21..3e5b267 100644
--- a/Gemfile
+++ b/Gemfile
@@ -85,6 +85,9 @@ gem 'devise-i18n', '~> 1.7'
 # Supports ActiveRecord and Mongoid ORMs.
 gem 'rolify', '~> 5.2'
 
+# Object oriented authorization for Rails applications.
+gem 'pundit', '~> 2.0'
+
 group :development, :test do
   # factory_bot provides a framework and DSL for defining and using factories.
   gem 'factory_bot_rails', '~> 4.10'
diff --git a/Gemfile.lock b/Gemfile.lock
index 240a59b..ded8243 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -162,6 +162,8 @@ GEM
     pry-rails (0.3.7)
       pry (>= 0.10.4)
     puma (3.12.0)
+    pundit (2.0.0)
+      activesupport (>= 3.0.0)
     rack (2.0.6)
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
@@ -324,6 +326,7 @@ DEPENDENCIES
   pg (>= 0.18, < 2.0)
   pry-rails (~> 0.3)
   puma (~> 3.11)
+  pundit (~> 2.0)
   rails (~> 5.2.1)
   rails-i18n (~> 5.1)
   rest-client (~> 2.0)
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 4db1919..aebca5e 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 class ApplicationController < ActionController::Base
-  class NotAuthorizedError < RuntimeError; end
+  include Pundit
 
   before_action :set_raven_context
 
diff --git a/app/controllers/telegram_bot_updates_controller.rb b/app/controllers/telegram_bot_updates_controller.rb
index 2834e10..59e5355 100644
--- a/app/controllers/telegram_bot_updates_controller.rb
+++ b/app/controllers/telegram_bot_updates_controller.rb
@@ -18,6 +18,9 @@ private
   end
 
   def verify_telegram_bot_secret
-    raise NotAuthorizedError unless params[:secret] == @telegram_bot.secret
+    return if params[:secret] == @telegram_bot.secret
+
+    raise NotAuthorizedError.new query:  "#{action_name}?",
+                                 record: @telegram_bot
   end
 end
diff --git a/app/policies/application_policy.rb b/app/policies/application_policy.rb
new file mode 100644
index 0000000..50f2d7c
--- /dev/null
+++ b/app/policies/application_policy.rb
@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+class ApplicationPolicy
+  attr_reader :user, :record
+
+  def initialize(user, record)
+    @user = user
+    @record = record
+  end
+
+  def index?
+    false
+  end
+
+  def show?
+    false
+  end
+
+  def create?
+    false
+  end
+
+  def new?
+    create?
+  end
+
+  def update?
+    false
+  end
+
+  def edit?
+    update?
+  end
+
+  def destroy?
+    false
+  end
+
+  class Scope
+    attr_reader :user, :scope
+
+    def initialize(user, scope)
+      @user = user
+      @scope = scope
+    end
+
+    def resolve
+      scope.all
+    end
+  end
+end