diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index b084d5f..55ca1a2 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -8,6 +8,17 @@ def after_sign_in_path_for(resource)
     new_facility_path
   end
 
+  def render_unauthorized(text)
+    render_status_code(text, 401)
+  end
+
+  def render_not_found(text)
+    render_status_code(text, 404)
+  end
+
+  def render_status_code(text, code)
+    render(text: text, status: code, layout: 'application') && return
+  end
 
   protected
 
diff --git a/app/controllers/facilities_controller.rb b/app/controllers/facilities_controller.rb
index 34a1a92..39139c6 100644
--- a/app/controllers/facilities_controller.rb
+++ b/app/controllers/facilities_controller.rb
@@ -1,7 +1,7 @@
 class FacilitiesController < ApplicationController
+  before_action :set_facility_user
   before_action :set_facility, only: [:show, :edit, :update, :destroy]
   before_action :authenticate_user!, except: [:show]
-  before_action :set_facility_user
 
   # GET /facilities
   # GET /facilities.json
@@ -68,7 +68,15 @@ def destroy
   private
     # Use callbacks to share common setup or constraints between actions.
     def set_facility
-      @facility = Facility.find(params[:id])
+      if current_user.site_admin? || action_name == 'show'
+        @facility = Facility.find(params[:id])
+      else # restrict edit/update/destroy to only facilities associated with the user.
+        begin
+          @facility = current_user.facilities.find(params[:id])
+        rescue
+          render_not_found('Sorry, that facility could not be found.')
+        end
+      end
     end
 
     def set_facility_user
diff --git a/app/models/user.rb b/app/models/user.rb
index 7c74876..86736ab 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -25,5 +25,4 @@ def full_name
   def display_name
     full_name || email
   end
-  
 end