diff --git a/app/Policies/GoalPolicy.php b/app/Policies/GoalPolicy.php
new file mode 100644
index 0000000..1dce17f
--- /dev/null
+++ b/app/Policies/GoalPolicy.php
@@ -0,0 +1,20 @@
+<?php
+
+namespace App\Policies;
+
+use App\Models\Goal;
+use App\Models\User;
+use Illuminate\Auth\Access\HandlesAuthorization;
+
+class GoalPolicy
+{
+    use HandlesAuthorization;
+
+    /**
+     * Determine whether the user can access (show, edit, delete) the goal.
+     */
+    public function access(User $user, Goal $goal): bool {
+        return $user->id === $goal->user_id;
+    }
+
+}
diff --git a/app/Providers/AuthServiceProvider.php b/app/Providers/AuthServiceProvider.php
index 75e4c49..fe06bac 100644
--- a/app/Providers/AuthServiceProvider.php
+++ b/app/Providers/AuthServiceProvider.php
@@ -2,7 +2,9 @@
 
 namespace App\Providers;
 
+use App\Models\Goal;
 use App\Models\User;
+use App\Policies\GoalPolicy;
 use App\Policies\UserPolicy;
 use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;
 
@@ -13,6 +15,7 @@ class AuthServiceProvider extends ServiceProvider
      * @inheritdoc
      */
     protected $policies = [
+        Goal::class => GoalPolicy::class,
         User::class => UserPolicy::class,
     ];
 
diff --git a/routes/auth.php b/routes/auth.php
index 40a5987..3ad7c89 100644
--- a/routes/auth.php
+++ b/routes/auth.php
@@ -26,8 +26,9 @@
     Route::get('/foods/{food}/delete', [FoodController::class, 'delete'])->name('foods.delete');
 
     // Goals.
-    Route::resource('goals', GoalController::class);
-    Route::get('/goals/{goal}/delete', [GoalController::class, 'delete'])->name('goals.delete');
+    Route::resource('goals', GoalController::class)->only(['index', 'create', 'store']);
+    Route::resource('goals', GoalController::class)->except(['index', 'create', 'store'])->middleware(['can:access,goal']);
+    Route::get('/goals/{goal}/delete', [GoalController::class, 'delete'])->middleware(['can:access,goal'])->name('goals.delete');
 
     // Ingredient picker.
     Route::get('/ingredient-picker/search', [IngredientPickerController::class, 'search'])->name('ingredient-picker.search');
@@ -51,10 +52,8 @@
 
     // Users.
     Route::get('/profile/{user}', [ProfileController::class, 'show'])->name('profiles.show');
-});
 
-Route::middleware(['auth', 'can:editProfile,user'])->group(function () {
     // Profiles (non-admin Users variant).
-    Route::get('/profile/{user}/edit', [ProfileController::class, 'edit'])->name('profiles.edit');
-    Route::put('/profile/{user}', [ProfileController::class, 'update'])->name('profiles.update');
+    Route::get('/profile/{user}/edit', [ProfileController::class, 'edit'])->middleware(['can:editProfile,user'])->name('profiles.edit');
+    Route::put('/profile/{user}', [ProfileController::class, 'update'])->middleware(['can:editProfile,user'])->name('profiles.update');
 });