diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb
new file mode 100644
index 0000000..0a673f5
--- /dev/null
+++ b/app/controllers/admin_controller.rb
@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+class AdminController < ApplicationController
+  # Authorizes based on a user-controlled request parameter.
+  before_action :ensure_admin
+
+  def dashboard
+    render plain: "Top secret: Admin-only diagnostics"
+  end
+
+  private
+
+  def ensure_admin
+    allowed = params[:admin] == 'true' || params[:role] == 'admin'
+    return if allowed
+
+    render plain: "Forbidden", status: :forbidden
+  end
+end