diff --git a/src/Core/CoreServiceProvider.php b/src/Core/CoreServiceProvider.php
index 5d6fb2e4a..2323b2720 100644
--- a/src/Core/CoreServiceProvider.php
+++ b/src/Core/CoreServiceProvider.php
@@ -73,13 +73,25 @@ class CoreServiceProvider extends AbstractServiceProvider
         });
 
         $this->app->make('flarum.gate')->before(function (User $actor, $ability, $model = null) {
+            // Fire an event so that core and extension policies can hook into
+            // this permission query and explicitly grant or deny the
+            // permission.
+            $allowed = $this->app->make('events')->until(
+                new GetPermission($actor, $ability, $model ? [$model] : [])
+            );
+
+            if (! is_null($allowed)) {
+                return $allowed;
+            }
+
+            // If no policy covered this permission query, we will only grant
+            // the permission if the actor's groups have it. Otherwise, we will
+            // not allow the user to perform this action.
             if ($actor->isAdmin() || (! $model && $actor->hasPermission($ability))) {
                 return true;
             }
 
-            return $this->app->make('events')->until(
-                new GetPermission($actor, $ability, $model ? [$model] : [])
-            );
+            return false;
         });
 
         $this->registerPostTypes();