diff --git a/backend/strapi/src/api/note/controllers/note.js b/backend/strapi/src/api/note/controllers/note.js
index a69f15d..65e3eb5 100644
--- a/backend/strapi/src/api/note/controllers/note.js
+++ b/backend/strapi/src/api/note/controllers/note.js
@@ -29,15 +29,22 @@ module.exports = createCoreController('api::note.note', ({strapi}) => ({
     return JSON.stringify(entries);
   },
   /**
-   * Finds the note by id. Only returns the note when the user is assigned.
+   * Finds the note by id. Exits 403 if the note does not belong to the user making the request
    * @param ctx
-   * @returns {Promise<void>}
+   * @returns {Promise<string>}
    */
   async findOne(ctx) {
-    console.log("findOne")
-  }
-}));
+    const noteId = Number(ctx.request.url.split("/").at(-1));
+    const userId = ctx.state.user.id;
+    const entry = await strapi.entityService.findOne('api::note.note', noteId, {
+      populate: ['owners'],
+    });
+    let allowed = entry.owners.some(owner => owner.id === userId)
+    if (allowed) {
+      return JSON.stringify(entry);
+    } else {
+      ctx.response.status = 403;
+    }
+  },
 
-/**
- *
- */
+}));