diff --git a/src/routes/owner.rs b/src/routes/owner.rs
index 35dc212..d941c7e 100644
--- a/src/routes/owner.rs
+++ b/src/routes/owner.rs
@@ -2,7 +2,7 @@ use std::sync::Arc;
 
 use axum::{extract::{Path, State}, Json};
 use reqwest::{StatusCode};
-use sea_orm::{ActiveModelTrait, ActiveValue::{NotSet, Set, Unchanged}, EntityTrait, TryIntoModel};
+use sea_orm::{ActiveModelTrait, ActiveValue::{NotSet, Set}, ColumnTrait, EntityTrait, QueryFilter, TryIntoModel};
 use serde::{Deserialize, Serialize};
 use utoipa::IntoParams;
 
@@ -22,7 +22,8 @@ struct OwnerByIdParams(u32);
     security(("jwt" = [])),
     responses(
         (status = OK, body = owner::Model, description = "Found owner with corresponding ID in the database"),
-        (status = NOT_FOUND, description = "No owner with this id exists in the database")
+        (status = NOT_FOUND, description = "No owner with this id exists in the database"),
+        (status = FORBIDDEN, description = "You do not own the specified owner"),
     ),
     summary = "Get an owner by its ID",
     description = "Get an owner from its ID",
@@ -30,10 +31,15 @@ struct OwnerByIdParams(u32);
 )]
 pub async fn get_owner_by_id(
     State(state): State<Arc<AppState>>,
+    claims: Claims,
     Path(id): Path<u32>,
 ) -> (StatusCode, Json<Option<owner::Model>>) {
     if let Ok(Some(res)) = Owner::find_by_id(id).one(state.db_conn.as_ref()).await {
-        (StatusCode::OK, Json(Some(res)))
+        if res.user_id != claims.user_id {
+            (StatusCode::FORBIDDEN, Json(None))
+        } else {
+            (StatusCode::OK, Json(Some(res)))
+        }
     } else {
         (StatusCode::NOT_FOUND, Json(None))
     }
@@ -165,14 +171,15 @@ pub async fn update_owner(
 )]
 pub async fn get_owners(
     State(state): State<Arc<AppState>>,
-) -> (StatusCode, Json<Option<Vec<owner::Model>>>) {
-    match Owner::find().all(state.db_conn.as_ref()).await {
+    claims: Claims
+) -> (StatusCode, Json<Vec<owner::Model>>) {
+    match Owner::find().filter(owner::Column::UserId.eq(claims.user_id)).all(state.db_conn.as_ref()).await {
         Err(e) => {
             log::error!(target: "api", "Error while getting owner list: {:#?}", e);
-            (StatusCode::INTERNAL_SERVER_ERROR, Json(None))
+            (StatusCode::INTERNAL_SERVER_ERROR, Json(vec![]))
         }
         Ok(owners) => {
-            (StatusCode::OK, Json(Some(owners)))
+            (StatusCode::OK, Json(owners))
         }
     }
 }