diff --git a/messages/de.msg b/messages/de.msg
index 1248d699f..fec6874c8 100644
--- a/messages/de.msg
+++ b/messages/de.msg
@@ -37,6 +37,7 @@ UnauthorizedSubmissionCorrector: Sie sind nicht der Korrektor für diese Abgabe.
 OnlyUploadOneFile: Bitte nur eine Datei hochladen.
 DeprecatedRoute: Diese Ansicht ist obsolet und könnte in Zukunft entfallen.
 UnfreeMaterials: Die Materialien für diese Veranstaltung sind nicht allgemein freigegeben.
+UnauthorizedWrite: Sie haben hierfür keine Schreibberechtigung
 
 SubmissionWrongSheet: Abgabenummer gehört nicht zum angegebenen Übungsblatt.
 SubmissionAlreadyExists: Sie haben bereits eine Abgabe zu diesem Übungsblatt.
diff --git a/routes b/routes
index 2b5511668..37e2ebecb 100644
--- a/routes
+++ b/routes
@@ -18,6 +18,8 @@
 --
 --    !materials  -- only if course allows all materials to be free (no meaning outside of courses)
 --    !time       -- access depends on time somehow
+--    !isRead     -- only if it is read-only access (i.e. GET but not POST)
+--    !isWrite    -- only if it is write access     (i.e. POST only) why needed???
 --
 --    !deprecated -- like free, but logs and gives a warning
 --
diff --git a/src/Foundation.hs b/src/Foundation.hs
index 5932fa6c3..9d0f3e441 100644
--- a/src/Foundation.hs
+++ b/src/Foundation.hs
@@ -269,9 +269,9 @@ knownTags = -- should not throw exceptions, i.e. no getBy404 or requireAuthId
          cTime <- liftIO getCurrentTime
          case subRoute of
            SFileR SheetExercise _ -> guard $ maybe False (<= cTime) sheetVisibleFrom
-           SFileR SheetHint _ -> guard $ maybe False (<= cTime) sheetHintFrom
+           SFileR SheetHint     _ -> guard $ maybe False (<= cTime) sheetHintFrom
            SFileR SheetSolution _ -> guard $ maybe False (<= cTime) sheetSolutionFrom
-           SFileR SheetMarking _ -> mzero -- only for correctors and lecturers
+           SFileR SheetMarking  _ -> mzero -- only for correctors and lecturers
            SubmissionNewR -> guard $ sheetActiveFrom <= cTime && cTime <= sheetActiveTo
            _ -> guard $ maybe False (<= cTime) sheetVisibleFrom
          return Authorized
@@ -314,6 +314,17 @@ knownTags = -- should not throw exceptions, i.e. no getBy404 or requireAuthId
          $logErrorS "AccessControl" $ "'!owner' used on route that doesn't support it: " <> tshow r
          unauthorizedI MsgUnauthorized
    )
+  ,("isRead",  APHandler $ \route ->
+      bool  <$> return Authorized
+            <*> unauthorizedI MsgUnauthorizedWrite
+            <*> isWriteRequest route
+   )
+  ,("isWrite", APHandler $ \route -> do
+      write <- isWriteRequest route
+      if write
+        then return Authorized
+        else unauthorizedI MsgUnauthorized
+   )
   ]