diff --git a/crates/domain/src/user.rs b/crates/domain/src/user.rs
index 1e70b4f..57e37c9 100644
--- a/crates/domain/src/user.rs
+++ b/crates/domain/src/user.rs
@@ -88,10 +88,20 @@ impl Role {
     }
 
     /// The authorization policy: whether this role may perform `capability`.
+    ///
+    /// The `Editor` arm is an exhaustive `match` on purpose: adding a new
+    /// [`Capability`] variant is a compile error here until its Editor access is
+    /// decided explicitly, so the policy fails closed rather than silently granting
+    /// new capabilities to Editors.
     pub fn allows(self, capability: Capability) -> bool {
         match self {
             Role::Admin => true,
-            Role::Editor => !matches!(capability, Capability::ManageUsers),
+            Role::Editor => match capability {
+                Capability::EditCatalogue
+                | Capability::PublishObjects
+                | Capability::ViewInternal => true,
+                Capability::ManageUsers => false,
+            },
         }
     }
 }