diff --git a/surveys.go b/surveys.go
index 63e514f..d5091f5 100644
--- a/surveys.go
+++ b/surveys.go
@@ -52,6 +52,7 @@ func declareAPISurveysRoutes(router *gin.RouterGroup) {
 
 	surveysRoutes := router.Group("/surveys/:sid")
 	surveysRoutes.Use(surveyHandler)
+	surveysRoutes.Use(surveyUserAccessHandler)
 
 	surveysRoutes.GET("", func(c *gin.Context) {
 		u := c.MustGet("LoggedUser").(*User)
@@ -198,6 +199,20 @@ func surveyHandler(c *gin.Context) {
 	}
 }
 
+func surveyUserAccessHandler(c *gin.Context) {
+	u := c.MustGet("LoggedUser").(*User)
+	w := c.MustGet("survey").(*Survey)
+
+	if u.IsAdmin {
+		c.Next()
+	} else if w.Shown && (w.Group == "" || strings.Contains(u.Groups, ","+w.Group+",")) {
+		c.Next()
+	} else {
+		c.AbortWithStatusJSON(http.StatusNotFound, gin.H{"errmsg": "Survey not found."})
+		return
+	}
+}
+
 type Survey struct {
 	Id                int64     `json:"id"`
 	Title             string    `json:"title"`
diff --git a/works.go b/works.go
index f318741..248e35c 100644
--- a/works.go
+++ b/works.go
@@ -190,6 +190,7 @@ func declareAPIAdminWorksRoutes(router *gin.RouterGroup) {
 func declareAPIAuthWorksRoutes(router *gin.RouterGroup) {
 	worksRoutes := router.Group("/works/:wid")
 	worksRoutes.Use(workHandler)
+	worksRoutes.Use(workUserAccessHandler)
 
 	worksRoutes.GET("", func(c *gin.Context) {
 		u := c.MustGet("LoggedUser").(*User)
@@ -209,7 +210,9 @@ func declareAPIAuthWorksRoutes(router *gin.RouterGroup) {
 		u := c.MustGet("LoggedUser").(*User)
 		w := c.MustGet("work").(*Work)
 
-		if g, err := u.GetMyWorkGrade(w); err != nil && errors.Is(err, sql.ErrNoRows) {
+		if !u.IsAdmin && !w.Corrected {
+			c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"errmsg": "Permission denied"})
+		} else if g, err := u.GetMyWorkGrade(w); err != nil && errors.Is(err, sql.ErrNoRows) {
 			c.AbortWithStatusJSON(http.StatusNotFound, gin.H{"errmsg": "Aucune note n'a été attribuée pour ce travail. Avez-vous rendu ce travail ?"})
 		} else if err != nil {
 			log.Printf("Unable to GetMyWorkGrade(uid=%d;wid=%d): %s", u.Id, w.Id, err.Error())
@@ -236,6 +239,20 @@ func workHandler(c *gin.Context) {
 	}
 }
 
+func workUserAccessHandler(c *gin.Context) {
+	u := c.MustGet("LoggedUser").(*User)
+	w := c.MustGet("work").(*Work)
+
+	if u.IsAdmin {
+		c.Next()
+	} else if w.Shown && (w.Group == "" || strings.Contains(u.Groups, ","+w.Group+",")) {
+		c.Next()
+	} else {
+		c.AbortWithStatusJSON(http.StatusNotFound, gin.H{"errmsg": "Work not found."})
+		return
+	}
+}
+
 type OneWork struct {
 	Kind              string    `json:"kind"`
 	Id                int64     `json:"id"`