diff --git a/app/Http/Controllers/PlayerController.php b/app/Http/Controllers/PlayerController.php
index ba351973..390a445b 100644
--- a/app/Http/Controllers/PlayerController.php
+++ b/app/Http/Controllers/PlayerController.php
@@ -16,6 +16,8 @@ use App\Events\CheckPlayerExists;
 use App\Events\PlayerWillBeAdded;
 use App\Events\PlayerWillBeDeleted;
 use App\Exceptions\PrettyPageException;
+use App\Http\Middleware\CheckPlayerExist;
+use App\Http\Middleware\CheckPlayerOwner;
 use App\Services\Repositories\UserRepository;
 
 class PlayerController extends Controller
@@ -43,6 +45,14 @@ class PlayerController extends Controller
                 $this->player->checkForInvalidTextures();
             }
         }
+
+        $this->middleware(
+            [CheckPlayerExist::class, CheckPlayerOwner::class],
+            [
+                'only' => ['delete', 'rename', 'setTexture', 'clearTexture', 'setPreference']
+            ]);
+
+        return json('dd', 0);
     }
 
     public function index()
diff --git a/app/Http/Middleware/CheckPlayerExist.php b/app/Http/Middleware/CheckPlayerExist.php
index e1e0126d..d5503196 100644
--- a/app/Http/Middleware/CheckPlayerExist.php
+++ b/app/Http/Middleware/CheckPlayerExist.php
@@ -10,6 +10,17 @@ class CheckPlayerExist
 {
     public function handle($request, \Closure $next)
     {
+        if ($request->has('pid') && $request->isMethod('post')) {
+            if (is_null(Player::find($request->input('pid')))) {
+                return response()->json([
+                    'errno' => 1,
+                    'msg' => trans('general.unexistent-player')
+                ]);
+            } else {
+                return $next($request);
+            }
+        }
+
         if (stripos($request->getUri(), '.json') != false) {
             preg_match('/\/([^\/]*)\.json/', $request->getUri(), $matches);
         } else {
diff --git a/app/Http/Middleware/CheckPlayerOwner.php b/app/Http/Middleware/CheckPlayerOwner.php
new file mode 100644
index 00000000..f01a5b9a
--- /dev/null
+++ b/app/Http/Middleware/CheckPlayerOwner.php
@@ -0,0 +1,32 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+use App\Models\Player;
+
+class CheckPlayerOwner
+{
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure  $next
+     * @return mixed
+     */
+    public function handle($request, Closure $next)
+    {
+        if ($pid = $request->input('pid')) {
+            $player = Player::find($pid);
+
+            if ($player->uid != app('user.current')->uid) {
+                return response()->json([
+                    'errno' => 1,
+                    'msg' => trans('admin.players.no-permission')
+                ]);
+            }
+        }
+
+        return $next($request);
+    }
+}
diff --git a/tests/MiddlewareTest.php b/tests/MiddlewareTest.php
index 0fb5ab42..c7d55e85 100644
--- a/tests/MiddlewareTest.php
+++ b/tests/MiddlewareTest.php
@@ -110,6 +110,51 @@ class MiddlewareTest extends TestCase
 
         $this->expectsEvents(\App\Events\CheckPlayerExists::class);
         $this->get("/{$player->player_name}.json");
+
+        $player = factory(\App\Models\Player::class)->create();
+        $user = \App\Models\User::find($player->uid);
+        $this->actAs($user)
+            ->post('/user/player/rename', [
+                'pid' => -1,
+                'new_player_name' => 'name'
+            ])->seeJson([
+                'errno' => 1,
+                'msg' => trans('general.unexistent-player')
+            ]);
+        $this->actAs($user)
+            ->post('/user/player/rename', [
+                'pid' => $player->pid,
+                'new_player_name' => 'name'
+            ])->seeJson([
+                'errno' => 0
+            ]);
+    }
+
+    public function testCheckPlayerOwner()
+    {
+        $other_user = factory(\App\Models\User::class)->create();
+        $player = factory(\App\Models\Player::class)->create();
+        $owner = \App\Models\User::find($player->uid);
+
+        $this->actAs($other_user)
+            ->visit('/user/player')
+            ->assertResponseStatus(200);
+
+        $this->actAs($other_user)
+            ->post('/user/player/rename', [
+                'pid' => $player->pid
+            ])->seeJson([
+                'errno' => 1,
+                'msg' => trans('admin.players.no-permission')
+            ]);
+
+        $this->actAs($owner)
+            ->post('/user/player/rename', [
+                'pid' => $player->pid,
+                'new_player_name' => 'name'
+            ])->seeJson([
+                'errno' => 0
+            ]);
     }
 
     public function testRedirectIfAuthenticated()
diff --git a/tests/PlayerControllerTest.php b/tests/PlayerControllerTest.php
index dcfd40b3..915acaf6 100644
--- a/tests/PlayerControllerTest.php
+++ b/tests/PlayerControllerTest.php
@@ -279,14 +279,15 @@ class PlayerControllerTest extends TestCase
     {
         // Without `preference` field
         $player = factory(Player::class)->create();
-        $this->post('/user/player/preference', [
-            'pid' => $player->pid
-        ], [
-            'X-Requested-With' => 'XMLHttpRequest'
-        ])->seeJson([
-            'errno' => 1,
-            'msg' => trans('validation.required', ['attribute' => 'preference'])
-        ]);
+        $this->actAs(User::find($player->uid))
+            ->post('/user/player/preference', [
+                'pid' => $player->pid
+            ], [
+                'X-Requested-With' => 'XMLHttpRequest'
+            ])->seeJson([
+                'errno' => 1,
+                'msg' => trans('validation.required', ['attribute' => 'preference'])
+            ]);
 
         // value of `preference` is invalid
         $this->post('/user/player/preference', [