diff --git a/src/documents/serialisers.py b/src/documents/serialisers.py
index f8258150c..f9fffc3e7 100644
--- a/src/documents/serialisers.py
+++ b/src/documents/serialisers.py
@@ -1416,6 +1416,17 @@ class SavedViewSerializer(OwnedObjectSerializer):
         return attrs
 
     def update(self, instance, validated_data):
+        user = getattr(self, "user", None)
+        is_superuser = user.is_superuser if user is not None else False
+        is_owner = instance.owner == user if user is not None else False
+        is_unowned = instance.owner is None
+        if not (is_superuser or is_owner or is_unowned) and (
+            "show_on_dashboard" in validated_data or "show_in_sidebar" in validated_data
+        ):
+            raise PermissionDenied(
+                _("Insufficient permissions."),
+            )
+
         if "filter_rules" in validated_data:
             rules_data = validated_data.pop("filter_rules")
         else:
diff --git a/src/documents/tests/test_api_documents.py b/src/documents/tests/test_api_documents.py
index 23ae7c3b0..05e9f2374 100644
--- a/src/documents/tests/test_api_documents.py
+++ b/src/documents/tests/test_api_documents.py
@@ -2066,6 +2066,13 @@ class TestDocumentApi(DirectoriesMixin, DocumentConsumeDelayMixin, APITestCase):
             {"show_in_sidebar": True},
             format="json",
         )
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+        response = self.client.patch(
+            f"/api/saved_views/{v2.id}/",
+            {"sort_field": "added"},
+            format="json",
+        )
         self.assertEqual(response.status_code, status.HTTP_200_OK)
 
         response = self.client.patch(