diff --git a/app/Http/Controllers/UserController.php b/app/Http/Controllers/UserController.php
index 3014d810..6fa392c3 100755
--- a/app/Http/Controllers/UserController.php
+++ b/app/Http/Controllers/UserController.php
@@ -292,6 +292,9 @@ public function saveLink(Request $request)
         $filteredLinkData['type_params'] = json_encode($customParams);
 
         if ($OrigLink) {
+            if ($OrigLink->user_id !== $userId) {
+                abort(403);
+            }
             $currentValues = $OrigLink->getAttributes();
             $nonNullFilteredLinkData = array_filter($filteredLinkData, function($value) {return !is_null($value);});
             $updatedValues = array_merge($currentValues, $nonNullFilteredLinkData);
@@ -335,6 +338,7 @@ public function sortLinks(Request $request)
 
             $linkNewOrders[$linkId] = $newOrder;
             Link::where("id", $linkId)
+                ->where("user_id", Auth::user()->id)
                 ->update([
                     'order' => $newOrder
                 ]);
diff --git a/routes/web.php b/routes/web.php
index c58d8b1f..3bf6335c 100755
--- a/routes/web.php
+++ b/routes/web.php
@@ -120,7 +120,7 @@
 Route::get('/studio/profile', [UserController::class, 'showProfile'])->name('showProfile');
 Route::post('/studio/profile', [UserController::class, 'editProfile'])->name('editProfile');
 Route::post('/edit-icons', [UserController::class, 'editIcons'])->name('editIcons');
-Route::get('/clearIcon/{id}', [UserController::class, 'clearIcon'])->name('clearIcon');
+Route::get('/clearIcon/{id}', [UserController::class, 'clearIcon'])->name('clearIcon')->middleware('link-id');
 Route::get('/studio/page/delprofilepicture', [UserController::class, 'delProfilePicture'])->name('delProfilePicture');
 Route::get('/studio/delete-user/{id}', [UserController::class, 'deleteUser'])->name('deleteUser')->middleware('verified');
 Route::post('/auth-as', [AdminController::class, 'authAs'])->name('authAs');