diff --git a/books/views.py b/books/views.py
index 8e4966ee..b69bb8e0 100644
--- a/books/views.py
+++ b/books/views.py
@@ -1,6 +1,6 @@
 import logging
 from django.shortcuts import render, get_object_or_404, redirect, reverse
-from django.contrib.auth.decorators import login_required
+from django.contrib.auth.decorators import login_required, permission_required
 from django.utils.translation import gettext_lazy as _
 from django.http import HttpResponseBadRequest, HttpResponseServerError
 from django.core.exceptions import ObjectDoesNotExist, PermissionDenied
@@ -200,6 +200,7 @@ def retrieve(request, id):
         return HttpResponseBadRequest()
 
 
+@permission_required('books.delete_book')
 @login_required
 def delete(request, id):
     if request.method == 'GET':
@@ -238,6 +239,8 @@ def create_update_mark(request):
         old_tags = None
         if pk:
             mark = get_object_or_404(BookMark, pk=pk)
+            if request.user != mark.owner:
+                return HttpResponseBadRequest()
             old_rating = mark.rating
             old_tags = mark.bookmark_tags.all()
             # update
@@ -332,6 +335,8 @@ def retrieve_mark_list(request, book_id):
 def delete_mark(request, id):
     if request.method == 'POST':
         mark = get_object_or_404(BookMark, pk=id)
+        if request.user != mark.owner:
+            return HttpResponseBadRequest()
         book_id = mark.book.id
         try:
             with transaction.atomic():
@@ -394,8 +399,6 @@ def create_review(request, book_id):
 @mastodon_request_included
 @login_required
 def update_review(request, id):
-    # owner check
-    # edited time
     if request.method == 'GET':
         review = get_object_or_404(BookReview, pk=id)
         if request.user != review.owner:
diff --git a/movies/models.py b/movies/models.py
index dacf3a1e..14fe072b 100644
--- a/movies/models.py
+++ b/movies/models.py
@@ -165,7 +165,7 @@ class Movie(Resource):
 
     def __str__(self):
         if self.year:
-            return self.title + f"{self.year}"  
+            return self.title + f"({self.year})"  
         else:
             return self.title
 
diff --git a/movies/views.py b/movies/views.py
index 0af8b03d..5ff5e1d8 100644
--- a/movies/views.py
+++ b/movies/views.py
@@ -1,6 +1,6 @@
 import logging
 from django.shortcuts import render, get_object_or_404, redirect, reverse
-from django.contrib.auth.decorators import login_required
+from django.contrib.auth.decorators import login_required, permission_required
 from django.utils.translation import gettext_lazy as _
 from django.http import HttpResponseBadRequest, HttpResponseServerError
 from django.core.exceptions import ObjectDoesNotExist, PermissionDenied
@@ -202,6 +202,7 @@ def retrieve(request, id):
         return HttpResponseBadRequest()
 
 
+@permission_required("movies.delete_movie")
 @login_required
 def delete(request, id):
     if request.method == 'GET':
@@ -240,6 +241,8 @@ def create_update_mark(request):
         old_tags = None
         if pk:
             mark = get_object_or_404(MovieMark, pk=pk)
+            if request.user != mark.owner:
+                return HttpResponseBadRequest()
             old_rating = mark.rating
             old_tags = mark.moviemark_tags.all()
             # update
@@ -335,6 +338,8 @@ def retrieve_mark_list(request, movie_id):
 def delete_mark(request, id):
     if request.method == 'POST':
         mark = get_object_or_404(MovieMark, pk=id)
+        if request.user != mark.owner:
+            return HttpResponseBadRequest()
         movie_id = mark.movie.id
         try:
             with transaction.atomic():
@@ -397,8 +402,6 @@ def create_review(request, movie_id):
 @mastodon_request_included
 @login_required
 def update_review(request, id):
-    # owner check
-    # edited time
     if request.method == 'GET':
         review = get_object_or_404(MovieReview, pk=id)
         if request.user != review.owner: