Authorization is handled by the third-party gem Pundit through the authorize method which you can find in various controllers, look for statements like:
authorize
1 authorize @user
1
authorize @user
All authorization policies can be found in /app/policies.
/app/policies