diff --git a/routes/stories.js b/routes/stories.js
index bb5edd4..b17d62a 100644
--- a/routes/stories.js
+++ b/routes/stories.js
@@ -51,9 +51,13 @@ router.get('/:id', ensureAuth, async (req, res) => {
       return res.render('error/404')
     }
 
-    res.render('stories/show', {
-      story,
-    })
+    if (story.user._id != req.user.id && story.status == 'private') {
+      res.render('error/404')
+    } else {
+      res.render('stories/show', {
+        story,
+      })
+    }
   } catch (err) {
     console.error(err)
     res.render('error/404')