diff --git a/server/api/controller/event.js b/server/api/controller/event.js
index 958fee5e..7cacf41b 100644
--- a/server/api/controller/event.js
+++ b/server/api/controller/event.js
@@ -124,6 +124,9 @@ const eventController = {
     const id = Number(req.params.event_id)
     const event = await Event.findByPk(id)
     if (!event) { return res.sendStatus(404) }
+    if (!req.user.is_admin && req.user.id !== event.userId) {
+      return res.sendStatus(403)
+    }
 
     try {
       event.is_visible = true
@@ -143,6 +146,9 @@ const eventController = {
     const id = Number(req.params.event_id)
     const event = await Event.findByPk(id)
     if (!event) { return req.sendStatus(404) }
+    if (!req.user.is_admin && req.user.id !== event.userId) {
+      return res.sendStatus(403)
+    }
 
     try {
       event.is_visible = false
diff --git a/server/api/index.js b/server/api/index.js
index bba88c21..9e28c1c4 100644
--- a/server/api/index.js
+++ b/server/api/index.js
@@ -83,8 +83,8 @@ api.post('/settings', fillUser, isAdmin, settingsController.setRequest)
 api.get('/settings/user_locale', settingsController.getUserLocale)
 
 // confirm event
-api.get('/event/confirm/:event_id', isAuth, isAdmin, eventController.confirm)
-api.get('/event/unconfirm/:event_id', isAuth, isAdmin, eventController.unconfirm)
+api.get('/event/confirm/:event_id', isAuth, eventController.confirm)
+api.get('/event/unconfirm/:event_id', isAuth, eventController.unconfirm)
 
 // get event
 api.get('/event/:event_id.:format?', fillUser, eventController.get)