diff --git a/compendium_v2/routes/response.py b/compendium_v2/routes/response.py
index b8d799781308f9523e41e5b46f0f9fc4904ac7b0..9ba078e5db8c00cf4a7bf7fc0588508b7fc603e3 100644
--- a/compendium_v2/routes/response.py
+++ b/compendium_v2/routes/response.py
@@ -91,13 +91,19 @@ def check_access_nren_read(user: User, nren: str) -> bool:
 
 def check_access_nren_write(user: User, nren: str) -> bool:
     if not check_access_nren_read(user, nren):
+        # if you can't read it, you definitely shouldn't write to it
         return False
+
     if user.is_observer:
         # observers can't edit their own nrens either!
         return False
-    # admins can edit all nrens
-    # users can edit their own nrens
-    return True
+    if user.is_admin:
+        # admins can edit all nrens
+        return True
+    if nren == user.nren:
+        # users can edit for the nren they are assigned to
+        return True
+    return False
 
 
 @routes.route('/try/<int:year>', methods=['GET'])