diff --git a/apps/user/views.py b/apps/user/views.py
index 8dc66d18..9ad82013 100644
--- a/apps/user/views.py
+++ b/apps/user/views.py
@@ -3,7 +3,10 @@ from django.shortcuts import render, reverse
 from django.views.generic import DetailView, UpdateView
 from django.contrib import messages
 from django.contrib.auth import get_user_model
+from django.contrib.auth.decorators import login_required, permission_required
 from django.contrib.auth.hashers import check_password, make_password
+from django.http import Http404
+from django.utils.decorators import method_decorator
 
 from apps.course.models import Course
 
@@ -30,9 +33,15 @@ class UserEditView(UpdateView):
     template_name = 'user/profile-settings.html'
     form_class = UserEditForm
 
+    @method_decorator(login_required)
+    def dispatch(self, request, *args, **kwargs):
+        self.object = self.get_object()
+        if request.user != self.object:
+            raise Http404()
+        return super().dispatch(request, *args, **kwargs)
+
     def post(self, request, *args, **kwargs):
         # it's magic *-*-*-*-*
-        self.object = self.get_object()
         if not request.POST._mutable:
             request.POST._mutable = True
         old_password = request.POST.pop('old_password')[0]