The authorization setting in my Ruby on Rails project is not working correctly. This site uses Devise for authorization.
The site has an admin who should have access to self and all others within the site when logged in. The site has users who should have access to only their own profile, training log, and workouts when logged in
The site doesn't restrict users from accessing each other when logged in
The site doesn't restrict access when not logged in
The site is hosted on Heroku (live demo) and code on Github
Please see the attachment for the bugs which need to be fixed