diff --git a/finance/models.py b/finance/models.py
index 89ad0ec..baf8d70 100755
--- a/finance/models.py
+++ b/finance/models.py
@@ -31,7 +31,7 @@ class Bill(models.Model):
         if self.invoice_set.exclude(status='F').exists():
             log = False
             try:
-                p = Progress.objects.get(user=user, course_token=str(self.course_token))
+                p = Progress.objects.get(user=self.user, course_token=str(self.course_token))
                 p.freeze = True
                 p.save()
             except Progress.DoesNotExist:
diff --git a/finance/views.py b/finance/views.py
index bb4e472..66a7df3 100644
--- a/finance/views.py
+++ b/finance/views.py
@@ -44,12 +44,13 @@ class FreezeView(APIView):
 
     @staticmethod
     def post(request, pk):
-        if request.user.is_authenticated:
-            try:
-                bill = Bill.objects.get(id=pk)
-                bill.freeze_course(request.user)
-            except Bill.DoesNotExist:
-                return Response("Счёт не найден", status=404)
+        try:
+            bill = Bill.objects.get(id=pk)
+        except Bill.DoesNotExist:
+            return Response("Счёт не найден", status=404)
+
+        if request.user.is_authenticated and request.user.email == bill.user.email:
+            bill.freeze_course()
             return Response(status=204)
         return Response("Permission denied", status=403)