diff --git a/apps/challenges/views.py b/apps/challenges/views.py
index 0459ee55f4..75465ae158 100644
--- a/apps/challenges/views.py
+++ b/apps/challenges/views.py
@@ -243,6 +243,14 @@ def challenge_detail(request, challenge_host_team_pk, challenge_pk):
         return Response(response_data, status=status.HTTP_406_NOT_ACCEPTABLE)
 
     if request.method == "GET":
+        if not (
+            request.user.id == challenge.creator.created_by.id
+            or is_user_a_host_of_challenge(request.user, challenge.id)
+        ):
+            response_data = {
+                "error": "You are not authorized to make this request"
+            }
+            return Response(response_data, status=status.HTTP_403_FORBIDDEN)
         serializer = ChallengeSerializer(
             challenge, context={"request": request}
         )
@@ -5006,6 +5014,14 @@ def update_allowed_email_ids(request, challenge_pk, phase_pk):
             return Response(response_data, status=status.HTTP_400_BAD_REQUEST)
 
     if request.method == "GET":
+        if not (
+            request.user.id == challenge.creator.created_by.id
+            or is_user_a_host_of_challenge(request.user, challenge.id)
+        ):
+            response_data = {
+                "error": "You are not authorized to make this request"
+            }
+            return Response(response_data, status=status.HTTP_403_FORBIDDEN)
         serializer = ChallengePhaseCreateSerializer(
             challenge_phase, context={"request": request}
         )
diff --git a/tests/unit/challenges/test_views.py b/tests/unit/challenges/test_views.py
index 697d84c9fc..93423e8706 100644
--- a/tests/unit/challenges/test_views.py
+++ b/tests/unit/challenges/test_views.py
@@ -644,6 +644,13 @@ def test_get_particular_challenge(self):
         )
         self.assertEqual(response.status_code, status.HTTP_200_OK)
 
+    def test_get_particular_challenge_when_user_is_not_host_or_creator(self):
+        self.client.force_authenticate(user=self.participant_user)
+        expected = {"error": "You are not authorized to make this request"}
+        response = self.client.get(self.url, {})
+        self.assertEqual(response.data, expected)
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
     def test_update_challenge_when_user_is_not_its_creator(self):
         # pylint: disable=attribute-defined-outside-init
         self.user1 = User.objects.create(
@@ -6220,6 +6227,22 @@ def test_get_or_update_allowed_email_ids_success(self):
         self.assertEqual(response.data, expected)
         self.assertEqual(response.status_code, status.HTTP_200_OK)
 
+    def test_get_allowed_email_ids_when_user_is_not_host_or_creator(self):
+        self.url = (  # pylint: disable=attribute-defined-outside-init
+            reverse_lazy(
+                "challenges:get_or_update_allowed_email_ids",
+                kwargs={
+                    "challenge_pk": self.challenge.pk,
+                    "phase_pk": self.challenge_phase.pk,
+                },
+            )
+        )
+        self.client.force_authenticate(user=self.participant_user)
+        expected = {"error": "You are not authorized to make this request"}
+        response = self.client.get(self.url, {}, format="json")
+        self.assertEqual(response.data, expected)
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
     def test_get_or_update_allowed_email_ids_patch_success(self):
         self.url = (  # pylint: disable=attribute-defined-outside-init
             reverse_lazy(