diff --git a/modul/host/apidatabase.go b/modul/host/apidatabase.go
index 93413cb..9e6fe66 100644
--- a/modul/host/apidatabase.go
+++ b/modul/host/apidatabase.go
@@ -22,17 +22,19 @@ func getDatabase(w http.ResponseWriter, r *http.Request) (database Database, ret
 		w.WriteHeader(http.StatusBadRequest)
 		return
 	}
-	database = Database{}
+	database = Database{ID: id}
+	db := dbconnection.First(&database)
 
-	if login.Superadmin {
-		dbconnection.Where("ID = ?", id).Find(&database)
-	} else {
-		dbconnection.Where(map[string]int64{"ID": id, "profil": profil.ID}).Find(&database)
+	if db.Error != nil || db.RecordNotFound() {
+		returnerr = &libapi.ErrorResult{Fields: []string{"database"}, Message: "database not found"}
+		w.WriteHeader(http.StatusNotFound)
 	}
 
-	if database.ID <= 0 {
-		returnerr = &libapi.ErrorResult{Fields: []string{"database"}, Message: "not found"}
-		w.WriteHeader(http.StatusNotFound)
+	if !login.Superadmin {
+		if profil.ID != database.ProfilID {
+			returnerr = &libapi.ErrorResult{Fields: []string{"profil"}, Message: "not allowed to get database"}
+			w.WriteHeader(http.StatusForbidden)
+		}
 	}
 	return
 }
@@ -42,6 +44,7 @@ func databaseList(w http.ResponseWriter, r *http.Request) {
 	login := ctx.Value("login").(*system.Login)
 	profil := ctx.Value("profil").(*Profil)
 	logger := log.GetLog(r, "databaselist")
+	logger = setProfilLog(r, logger)
 	var database []*Database
 	if login.Superadmin && r.URL.Query().Get("filter") == "all" {
 		dbconnection.Preload("Profil").Preload("Profil.Login").Find(&database)
@@ -56,6 +59,7 @@ func databaseAdd(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	profil := ctx.Value("profil").(*Profil)
 	logger := log.GetLog(r, "databaseadd")
+	logger = logger.WithField("pID", profil.ID)
 
 	var databaseRequest Database
 	returnerr := libapi.JSONDecoder(w, r, logger, &databaseRequest)
@@ -82,10 +86,11 @@ func databaseAdd(w http.ResponseWriter, r *http.Request) {
 
 func databaseEdit(w http.ResponseWriter, r *http.Request) {
 	logger := log.GetLog(r, "databaseedit")
+	logger = setProfilLog(r, logger)
 
 	database, returnerr := getDatabase(w, r)
 	if returnerr != nil {
-		logger.Info("not found")
+		logger.Info(returnerr.Message)
 		libapi.JSONWrite(w, r, false, returnerr)
 		return
 	}
@@ -112,10 +117,11 @@ func databaseEdit(w http.ResponseWriter, r *http.Request) {
 
 func databaseDelete(w http.ResponseWriter, r *http.Request) {
 	logger := log.GetLog(r, "databasedelete")
+	logger = setProfilLog(r, logger)
 
 	database, returnerr := getDatabase(w, r)
 	if returnerr != nil {
-		logger.Info("not found")
+		logger.Info(returnerr.Message)
 		libapi.JSONWrite(w, r, false, returnerr)
 		return
 	}
diff --git a/modul/host/apidomain.go b/modul/host/apidomain.go
index 50526dc..1c95e80 100644
--- a/modul/host/apidomain.go
+++ b/modul/host/apidomain.go
@@ -23,17 +23,20 @@ func getDomain(w http.ResponseWriter, r *http.Request) (domain Domain, returnerr
 		w.WriteHeader(http.StatusBadRequest)
 		return
 	}
-	domain = Domain{}
 
-	if login.Superadmin {
-		dbconnection.Where("ID = ?", id).Find(&domain)
-	} else {
-		dbconnection.Where(map[string]int64{"ID": id, "profil": profil.ID}).Find(&domain)
+	domain = Domain{ID: id}
+	db := dbconnection.First(&domain)
+
+	if db.Error != nil || db.RecordNotFound() {
+		returnerr = &libapi.ErrorResult{Fields: []string{"domain"}, Message: "domain not found"}
+		w.WriteHeader(http.StatusNotFound)
 	}
 
-	if domain.ID <= 0 {
-		returnerr = &libapi.ErrorResult{Fields: []string{"domain"}, Message: "not found"}
-		w.WriteHeader(http.StatusNotFound)
+	if !login.Superadmin {
+		if profil.ID != domain.ProfilID {
+			returnerr = &libapi.ErrorResult{Fields: []string{"profil"}, Message: "not allowed to get domain"}
+			w.WriteHeader(http.StatusForbidden)
+		}
 	}
 	return
 }
@@ -43,6 +46,7 @@ func domainList(w http.ResponseWriter, r *http.Request) {
 	login := ctx.Value("login").(*system.Login)
 	profil := ctx.Value("profil").(*Profil)
 	logger := log.GetLog(r, "domainlist")
+	logger = logger.WithField("pID", profil.ID)
 	var domain []*Domain
 	if login.Superadmin && r.URL.Query().Get("filter") == "all" {
 		dbconnection.Preload("Profil").Preload("Profil.Login").Find(&domain)
@@ -55,13 +59,14 @@ func domainList(w http.ResponseWriter, r *http.Request) {
 
 func domainShow(w http.ResponseWriter, r *http.Request) {
 	logger := log.GetLog(r, "domainshow")
+	logger = setProfilLog(r, logger)
 	domain, returnerr := getDomain(w, r)
+	logger = logger.WithField("dID", domain.ID)
 	if returnerr != nil {
-		logger.Info("not found")
+		logger.Info(returnerr.Message)
 		libapi.JSONWrite(w, r, false, returnerr)
 		return
 	}
-	logger = logger.WithField("dID", domain.ID)
 	logger.Info("done")
 	libapi.JSONWrite(w, r, domain, nil)
 }
@@ -70,6 +75,7 @@ func domainAdd(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	profil := ctx.Value("profil").(*Profil)
 	logger := log.GetLog(r, "domainadd")
+	logger = setProfilLog(r, logger)
 
 	var domainRequest Domain
 	returnerr := libapi.JSONDecoder(w, r, logger, &domainRequest)
@@ -104,14 +110,15 @@ func domainEdit(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	login := ctx.Value("login").(*system.Login)
 	logger := log.GetLog(r, "domainedit")
+	logger = setProfilLog(r, logger)
 
 	domain, returnerr := getDomain(w, r)
+	logger = logger.WithField("dID", domain.ID)
 	if returnerr != nil {
-		logger.Info("not found")
+		logger.Info(returnerr.Message)
 		libapi.JSONWrite(w, r, false, returnerr)
 		return
 	}
-	logger = logger.WithField("dID", domain.ID)
 
 	var domainRequest Domain
 	returnerr = libapi.JSONDecoder(w, r, logger, &domainRequest)
@@ -140,14 +147,15 @@ func domainEdit(w http.ResponseWriter, r *http.Request) {
 
 func domainDelete(w http.ResponseWriter, r *http.Request) {
 	logger := log.GetLog(r, "domaindelete")
+	logger = setProfilLog(r, logger)
 
 	domain, returnerr := getDomain(w, r)
+	logger = logger.WithField("dID", domain.ID)
 	if returnerr != nil {
-		logger.Info("not found")
+		logger.Info(returnerr.Message)
 		libapi.JSONWrite(w, r, false, returnerr)
 		return
 	}
-	logger = logger.WithField("dID", domain.ID)
 
 	if err := dbconnection.Unscoped().Delete(domain).Error; err != nil {
 		logger.Error("database: during create host domain: ", err)
diff --git a/modul/host/apimail.go b/modul/host/apimail.go
index bfac37a..32ebe24 100644
--- a/modul/host/apimail.go
+++ b/modul/host/apimail.go
@@ -25,24 +25,30 @@ func getMail(w http.ResponseWriter, r *http.Request) (mail Mail, returnerr *liba
 	}
 	mail = Mail{}
 
-	if login.Superadmin {
-		dbconnection.Where("ID = ?", id).Preload("Forwards").Find(&mail)
-	} else {
-		dbconnection.Where(map[string]int64{"ID": id, "domain.profil": profil.ID}).Preload("Forwards").Find(&mail)
-	}
-	if mail.ID <= 0 {
-		returnerr = &libapi.ErrorResult{Fields: []string{"mail"}, Message: "not found"}
+	db := dbconnection.Where("ID = ?", id).Preload("Domain").Preload("Forwards").First(&mail)
+
+	if db.Error != nil || db.RecordNotFound() {
+		returnerr = &libapi.ErrorResult{Fields: []string{"mail"}, Message: "mail not found"}
 		w.WriteHeader(http.StatusNotFound)
 	}
+	if !login.Superadmin {
+		if mail.Domain.ProfilID != profil.ID {
+			returnerr = &libapi.ErrorResult{Fields: []string{"profil"}, Message: "not allowed to get mail"}
+			w.WriteHeader(http.StatusForbidden)
+		}
+	}
+
 	return
 }
 
 func mailList(w http.ResponseWriter, r *http.Request) {
 	logger := log.GetLog(r, "maillist")
 	var mail []*Mail
+	logger = setProfilLog(r, logger)
+
 	domain, returnerr := getDomain(w, r)
 	if returnerr != nil {
-		logger.Info("not found")
+		logger.Info(returnerr.Message)
 		libapi.JSONWrite(w, r, false, returnerr)
 		return
 	}
@@ -55,6 +61,7 @@ func mailList(w http.ResponseWriter, r *http.Request) {
 
 func mailAdd(w http.ResponseWriter, r *http.Request) {
 	logger := log.GetLog(r, "mailadd")
+	logger = setProfilLog(r, logger)
 
 	var mailRequest Mail
 	returnerr := libapi.JSONDecoder(w, r, logger, &mailRequest)
@@ -65,7 +72,7 @@ func mailAdd(w http.ResponseWriter, r *http.Request) {
 
 	domain, returnerr := getDomain(w, r)
 	if returnerr != nil {
-		logger.Info("not found")
+		logger.Info(returnerr.Message)
 		libapi.JSONWrite(w, r, false, returnerr)
 		return
 	}
@@ -95,10 +102,11 @@ func mailAdd(w http.ResponseWriter, r *http.Request) {
 
 func mailEdit(w http.ResponseWriter, r *http.Request) {
 	logger := log.GetLog(r, "mailedit")
+	logger = setProfilLog(r, logger)
 
 	mail, returnerr := getMail(w, r)
 	if returnerr != nil {
-		logger.Info("not found")
+		logger.Info(returnerr.Message)
 		libapi.JSONWrite(w, r, false, returnerr)
 		return
 	}
@@ -150,10 +158,11 @@ func mailEdit(w http.ResponseWriter, r *http.Request) {
 
 func mailDelete(w http.ResponseWriter, r *http.Request) {
 	logger := log.GetLog(r, "maildelete")
+	logger = setProfilLog(r, logger)
 
 	mail, returnerr := getMail(w, r)
 	if returnerr != nil {
-		logger.Info("not found")
+		logger.Info(returnerr.Message)
 		libapi.JSONWrite(w, r, false, returnerr)
 		return
 	}
diff --git a/modul/host/apiprofil.go b/modul/host/apiprofil.go
index 87dc471..62a096f 100644
--- a/modul/host/apiprofil.go
+++ b/modul/host/apiprofil.go
@@ -14,6 +14,7 @@ func profilList(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	login := ctx.Value("login").(*system.Login)
 	logger := log.GetLog(r, "toggleReseller")
+
 	if !login.Superadmin {
 		logger.Warn("not a superadmin")
 		w.WriteHeader(http.StatusUnauthorized)
diff --git a/modul/host/apiweb.go b/modul/host/apiweb.go
index 8ffb58f..2fbc4f8 100644
--- a/modul/host/apiweb.go
+++ b/modul/host/apiweb.go
@@ -36,25 +36,29 @@ func getWeb(w http.ResponseWriter, r *http.Request) (web Web, returnerr *libapi.
 		w.WriteHeader(http.StatusBadRequest)
 		return
 	}
-	web = Web{}
-	if login.Superadmin {
-		dbconnection.Where("ID = ?", id).Preload("HTTPAccess.Login").Preload("FTPAccess.Login").Find(&web)
-	} else {
-		dbconnection.Where(map[string]int64{"ID": id, "domain.profil": profil.ID}).Preload("HTTPAccess.Login").Preload("FTPAccess.Login").Find(&web)
-	}
-	if web.ID <= 0 {
-		returnerr = &libapi.ErrorResult{Fields: []string{"web"}, Message: "not found"}
+	web = Web{ID: id}
+	db := dbconnection.Where("ID = ?", id).Preload("Domain").Preload("HTTPAccess.Login").Preload("FTPAccess.Login").First(&web)
+	if db.Error != nil || db.RecordNotFound() {
+		returnerr = &libapi.ErrorResult{Fields: []string{"web"}, Message: "web not found"}
 		w.WriteHeader(http.StatusNotFound)
 	}
+	if !login.Superadmin {
+		if web.Domain.ProfilID != profil.ID {
+			returnerr = &libapi.ErrorResult{Fields: []string{"profil"}, Message: "not allowed to get web"}
+			w.WriteHeader(http.StatusForbidden)
+		}
+	}
 	return
 }
 
 func webList(w http.ResponseWriter, r *http.Request) {
 	logger := log.GetLog(r, "weblist")
+	logger = setProfilLog(r, logger)
+
 	var web []*Web
 	domain, returnerr := getDomain(w, r)
 	if returnerr != nil {
-		logger.Info("not found")
+		logger.Info(returnerr.Message)
 		libapi.JSONWrite(w, r, false, returnerr)
 		return
 	}
@@ -67,6 +71,7 @@ func webList(w http.ResponseWriter, r *http.Request) {
 
 func webAdd(w http.ResponseWriter, r *http.Request) {
 	logger := log.GetLog(r, "webadd")
+	logger = setProfilLog(r, logger)
 
 	var webRequest Web
 	returnerr := libapi.JSONDecoder(w, r, logger, &webRequest)
@@ -77,7 +82,7 @@ func webAdd(w http.ResponseWriter, r *http.Request) {
 
 	domain, returnerr := getDomain(w, r)
 	if returnerr != nil {
-		logger.Info("not found")
+		logger.Info(returnerr.Message)
 		libapi.JSONWrite(w, r, false, returnerr)
 		return
 	}
@@ -115,10 +120,11 @@ func webAdd(w http.ResponseWriter, r *http.Request) {
 
 func webEdit(w http.ResponseWriter, r *http.Request) {
 	logger := log.GetLog(r, "webedit")
+	logger = setProfilLog(r, logger)
 
 	web, returnerr := getWeb(w, r)
 	if returnerr != nil {
-		logger.Info("not found")
+		logger.Info(returnerr.Message)
 		libapi.JSONWrite(w, r, false, returnerr)
 		return
 	}
@@ -208,10 +214,11 @@ func webEdit(w http.ResponseWriter, r *http.Request) {
 
 func webDelete(w http.ResponseWriter, r *http.Request) {
 	logger := log.GetLog(r, "webdelete")
+	logger = setProfilLog(r, logger)
 
 	web, returnerr := getWeb(w, r)
 	if returnerr != nil {
-		logger.Info("not found")
+		logger.Info(returnerr.Message)
 		libapi.JSONWrite(w, r, false, returnerr)
 		return
 	}
diff --git a/modul/host/lib.go b/modul/host/lib.go
index b2fb92f..f7204e8 100644
--- a/modul/host/lib.go
+++ b/modul/host/lib.go
@@ -3,6 +3,8 @@ package host
 import (
 	"net/http"
 
+	"github.com/Sirupsen/logrus"
+
 	"context"
 
 	libapi "dev.sum7.eu/sum7/warehost/lib/api"
@@ -10,6 +12,13 @@ import (
 	libsystem "dev.sum7.eu/sum7/warehost/system"
 )
 
+func setProfilLog(r *http.Request, logger *logrus.Entry) *logrus.Entry {
+	ctx := r.Context()
+	profil := ctx.Value("profil").(*Profil)
+	logger = logger.WithField("pID", profil.ID)
+	return logger
+}
+
 //ProfilHandler for api function to get host.Profil
 func ProfilHandler(h libapi.Handle) libapi.Handle {
 	return func(w http.ResponseWriter, r *http.Request) {
@@ -17,14 +26,16 @@ func ProfilHandler(h libapi.Handle) libapi.Handle {
 		login := ctx.Value("login").(*libsystem.Login)
 
 		profil := &Profil{LoginID: login.ID}
-		dbconnection.Where("login = ?", login.ID).Find(profil)
-		if profil.ID > 0 {
-			ctx = context.WithValue(ctx, "profil", profil)
-			r = r.WithContext(ctx)
-			h(w, r)
+
+		if dbconnection.Where("login = ?", login.ID).First(profil).RecordNotFound() {
+			liblog.Log.Warn("no profil found")
+			libapi.JSONWrite(w, r, false, &libapi.ErrorResult{Fields: []string{"session"}, Message: "no profil found"})
 			return
 		}
-		liblog.Log.Warn("no profil found")
-		libapi.JSONWrite(w, r, false, &libapi.ErrorResult{Fields: []string{"session"}, Message: "no profil found"})
+		ctx = context.WithValue(ctx, "profil", profil)
+		r = r.WithContext(ctx)
+		h(w, r)
+		return
+
 	}
 }