diff --git a/backend/app/Http/Actions/Orders/GetOrderAction.php b/backend/app/Http/Actions/Orders/GetOrderAction.php
index 9773221e..b72c5581 100644
--- a/backend/app/Http/Actions/Orders/GetOrderAction.php
+++ b/backend/app/Http/Actions/Orders/GetOrderAction.php
@@ -3,6 +3,7 @@
 namespace HiEvents\Http\Actions\Orders;
 
 use HiEvents\DomainObjects\AttendeeDomainObject;
+use HiEvents\DomainObjects\EventDomainObject;
 use HiEvents\DomainObjects\OrderItemDomainObject;
 use HiEvents\DomainObjects\QuestionAndAnswerViewDomainObject;
 use HiEvents\Http\Actions\BaseAction;
@@ -21,6 +22,8 @@ public function __construct(OrderRepositoryInterface $orderRepository)
 
     public function __invoke(int $eventId, int $orderId): JsonResponse
     {
+        $this->isActionAuthorized($eventId, EventDomainObject::class);
+
         $order = $this->orderRepository
             ->loadRelation(OrderItemDomainObject::class)
             ->loadRelation(AttendeeDomainObject::class)