diff --git a/web/auth/middleware.go b/web/auth/middleware.go
index bd8916b..046e389 100644
--- a/web/auth/middleware.go
+++ b/web/auth/middleware.go
@@ -39,7 +39,7 @@ func MiddlewarePermissionParam(ws *web.Service, obj HasPermission, param string)
 			})
 			c.Abort()
 		}
-		_, err = obj.HasPermission(ws.DB, userID, objID)
+		d, err := obj.HasPermission(ws.DB, userID, objID)
 		if err != nil {
 			c.JSON(http.StatusUnauthorized, web.HTTPError{
 				Message: ErrAPINoPermission.Error(),
@@ -47,5 +47,11 @@ func MiddlewarePermissionParam(ws *web.Service, obj HasPermission, param string)
 			})
 			c.Abort()
 		}
+		if d == nil {
+			c.JSON(http.StatusNotFound, web.HTTPError{
+				Message: web.ErrAPINotFound.Error(),
+			})
+			c.Abort()
+		}
 	}
 }