diff --git a/src/Foundation.hs b/src/Foundation.hs
index 0d610b932..cd5bcd763 100644
--- a/src/Foundation.hs
+++ b/src/Foundation.hs
@@ -219,18 +219,20 @@ knownTags = -- should not throw exceptions, i.e. no getBy404 or requireAuthId
       return Authorized
     )
   ,("lecturer", APDB $ \case
-      CourseR tid csh _ -> maybeT (unauthorizedI MsgUnauthorizedLecturer) $ do
-          authId <- lift $ lift requireAuthId -- TODO SJ Continue
-          -- getBy404 would disclose that the course exists
-          Entity cid _ <- MaybeT . getBy $ CourseTermShort tid csh
-          void . MaybeT . getBy $ UniqueLecturer authId cid
+      CourseR tid csh _ -> exceptT return return $ do
+          authId <- maybeExceptT AuthenticationRequired $ lift maybeAuthId
+          [E.Value c] <- lift . E.select . E.from $ \(course `E.InnerJoin` lecturer) -> do
+            E.on $ course E.^. CourseId E.==. lecturer E.^. LecturerCourse
+            E.where_ $ lecturer E.^. LecturerUser E.==. E.val authId
+                 E.&&. course E.^. CourseTerm E.==. E.val tid
+                 E.&&. course E.^. CourseShorthand E.==. E.val csh
+            return (E.countRows :: E.SqlExpr (E.Value Int64))
+          guardMExceptT (unauthorizedI MsgUnauthorizedLecturer) (c > 0)
+          return Authorized
+      _ -> exceptT return return $ do
+          authId <- maybeExceptT AuthenticationRequired $ lift maybeAuthId
+          void . maybeMExceptT (unauthorizedI MsgUnauthorizedSchoolLecturer) $ selectFirst [UserLecturerUser ==. authId] []
           return Authorized
-      _ -> do
-          authId <- lift requireAuthId -- TODO SJ Continue
-          mul <- selectFirst [UserLecturerUser ==. authId] []
-          case mul of
-            Nothing  -> unauthorizedI $ MsgUnauthorizedSchoolLecturer
-            (Just _) -> return Authorized
     )
    -- TODO: Continue here!!!
   ,("corrector", undefined)
@@ -247,12 +249,12 @@ knownTags = -- should not throw exceptions, i.e. no getBy404 or requireAuthId
 tag2ap :: Text -> AccessPredicate
 tag2ap t = case Map.lookup (CI.mk t) knownTags of
     (Just acp) -> acp
-    Nothing   -> APHandler $ \_route -> do --TODO: can this be pure like falseAP?
+    Nothing   -> APHandler $ \_route -> do -- Can this be pure like falseAP? GK: not if we want to log a message (which we definitely should)
       $logWarnS "AccessControl" ("route tag unknown for access control")
       unauthorizedI $ MsgUnauthorized
 
 route2ap :: Route UniWorX -> AccessPredicate
-route2ap r = foldr orAP adminAP attrsAND --TODO: adminAP causes all to be in DB!!!
+route2ap r = foldr orAP adminAP attrsAND -- adminAP causes all to be in DB!!! GK: Due to shortCircuitM this (while still true) is no longer costly (we do a `runDB` but then only actually send off queries, if needed)
   where
     attrsAND = map splitAND $ Set.toList $ routeAttrs r
     splitAND = foldr1 andAP . map tag2ap . Text.splitOn "AND"