diff --git a/app/templates/album/index.html b/app/templates/album/index.html
index 7b2fb9e..2a9d034 100644
--- a/app/templates/album/index.html
+++ b/app/templates/album/index.html
@@ -14,8 +14,10 @@
                 </div>
             </li>
         {% endfor %}
-        <li class="gallery__entry gallery__entry--action">
-            <a href="{% url 'add_album' %}" class="stretched-link">dodaj +</a>
-        </li>
+        {% if user.is_authenticated %}
+            <li class="gallery__entry gallery__entry--action">
+                <a href="{% url 'add_album' %}" class="stretched-link">dodaj +</a>
+            </li>
+        {% endif %}
     </ul>
 {% endblock content %}
\ No newline at end of file
diff --git a/app/views.py b/app/views.py
index ae62ae4..6dcca49 100644
--- a/app/views.py
+++ b/app/views.py
@@ -5,6 +5,7 @@ from django.contrib.auth.forms import UserCreationForm as RegisterForm
 from django.core.exceptions import PermissionDenied
 from django.views.decorators.http import require_http_methods
 from django.views.decorators.csrf import csrf_exempt
+from django.contrib.auth.decorators import login_required
 from app.forms import PhotoEditForm
 
 def register(request):
@@ -38,6 +39,7 @@ def photo(request, photo_id, album_id):
 
     return render(request, "album/photo.html", locals())
 
+@login_required
 def add_album(request):
     if request.method == 'POST':
         form = AlbumForm(request.POST, request.FILES)
@@ -55,6 +57,9 @@ def add_album(request):
 def add_photo(request, album_id):
     album = get_object_or_404(Album, pk=album_id)
 
+    if not album.is_owned_by(request.user):
+        raise PermissionDenied()
+
     if request.method == 'POST':
         form = PhotoForm(request.POST, request.FILES)