diff --git a/apps/portal/src/server/router/resumes/resumes-resume-user-router.ts b/apps/portal/src/server/router/resumes/resumes-resume-user-router.ts
index 5c19aa76..e8fe4a3b 100644
--- a/apps/portal/src/server/router/resumes/resumes-resume-user-router.ts
+++ b/apps/portal/src/server/router/resumes/resumes-resume-user-router.ts
@@ -441,8 +441,19 @@ export const resumesResumeUserRouter = createProtectedRouter()
       id: z.string(),
     }),
     async resolve({ ctx, input }) {
+      const userId = ctx.session.user.id;
       const { id } = input;
 
+      const resume = await ctx.prisma.resumesResume.findUnique({
+        where: {
+          id,
+        },
+      });
+
+      if (resume?.userId !== userId) {
+        throw new Error('Unauthorized: you can only delete your own resumes');
+      }
+
       return await ctx.prisma.resumesResume.delete({
         where: {
           id,