diff --git a/service/service_event/attendance_list.go b/service/service_event/attendance_list.go
index d2a1ec0..f845f4c 100644
--- a/service/service_event/attendance_list.go
+++ b/service/service_event/attendance_list.go
@@ -94,17 +94,34 @@ func (self *EventServiceImpl) AttendanceList(payload *AttendanceListPayload) (re
 	}
 
 	if eventData.Owner != payload.UserId {
-		exc := exception.New(
-			exception.WithStatus(exception.StatusUser),
-			exception.WithType(exception.TypeSpecific),
-			exception.WithOriginal(exception.EventAttendanceListError),
-			exception.WithError(errors.New("only the event owner may view the attendance list")),
-		).Throw(ctx)
+		callerData, err := new(data.User).GetByUserId(ctx, &payload.UserId)
+		if err != nil {
+			exc := exception.New(
+				exception.WithStatus(exception.StatusServer),
+				exception.WithType(exception.TypeCommon),
+				exception.WithOriginal(exception.CommonErrorDatabase),
+				exception.WithError(err),
+			).Throw(ctx)
 
-		result = &AttendanceListResult{
-			Common: shared.CommonResult{HttpCode: 403, Exception: exc},
+			result = &AttendanceListResult{
+				Common: shared.CommonResult{HttpCode: 500, Exception: exc},
+			}
+			return
+		}
+
+		if callerData == nil || callerData.PermissionLevel < 40 {
+			exc := exception.New(
+				exception.WithStatus(exception.StatusUser),
+				exception.WithType(exception.TypeSpecific),
+				exception.WithOriginal(exception.EventAttendanceListError),
+				exception.WithError(errors.New("only the event owner may view the attendance list")),
+			).Throw(ctx)
+
+			result = &AttendanceListResult{
+				Common: shared.CommonResult{HttpCode: 403, Exception: exc},
+			}
+			return
 		}
-		return
 	}
 
 	limit := 20
diff --git a/service/service_event/stats.go b/service/service_event/stats.go
index d7998f9..e33f143 100644
--- a/service/service_event/stats.go
+++ b/service/service_event/stats.go
@@ -88,17 +88,34 @@ func (self *EventServiceImpl) Stats(payload *EventStatsPayload) (result *EventSt
 	}
 
 	if eventData.Owner != payload.UserId {
-		exc := exception.New(
-			exception.WithStatus(exception.StatusUser),
-			exception.WithType(exception.TypeSpecific),
-			exception.WithOriginal(exception.EventStatsNotOwner),
-			exception.WithError(errors.New("only the event owner may view event stats")),
-		).Throw(ctx)
+		callerData, err := new(data.User).GetByUserId(ctx, &payload.UserId)
+		if err != nil {
+			exc := exception.New(
+				exception.WithStatus(exception.StatusServer),
+				exception.WithType(exception.TypeCommon),
+				exception.WithOriginal(exception.CommonErrorDatabase),
+				exception.WithError(err),
+			).Throw(ctx)
 
-		result = &EventStatsResult{
-			Common: shared.CommonResult{HttpCode: 403, Exception: exc},
+			result = &EventStatsResult{
+				Common: shared.CommonResult{HttpCode: 500, Exception: exc},
+			}
+			return
+		}
+
+		if callerData == nil || callerData.PermissionLevel < 40 {
+			exc := exception.New(
+				exception.WithStatus(exception.StatusUser),
+				exception.WithType(exception.TypeSpecific),
+				exception.WithOriginal(exception.EventStatsNotOwner),
+				exception.WithError(errors.New("only the event owner may view event stats")),
+			).Throw(ctx)
+
+			result = &EventStatsResult{
+				Common: shared.CommonResult{HttpCode: 403, Exception: exc},
+			}
+			return
 		}
-		return
 	}
 
 	attRepo := new(data.Attendance)