diff --git a/src/customPermissions.py b/src/involvement/customPermissions.py
similarity index 69%
rename from src/customPermissions.py
rename to src/involvement/customPermissions.py
index 6fe57201..3d201426 100644
--- a/src/customPermissions.py
+++ b/src/involvement/customPermissions.py
@@ -14,3 +14,9 @@ class ReadCreateUpdate(BasePermission):
     def has_permission(self, request, view):
         return True if request.method not in ["DELETE"] else False
 
+class OwnApplicationPermission(BasePermission):
+    """
+    Object-level permission to only allow updating his own profile
+    """
+    def has_object_permission(self, request, view, obj):
+        return obj.applicant == request.user
diff --git a/src/involvement/views/application_api.py b/src/involvement/views/application_api.py
index 90fd2373..b2332d2b 100644
--- a/src/involvement/views/application_api.py
+++ b/src/involvement/views/application_api.py
@@ -1,14 +1,17 @@
-from rest_framework import viewsets
+from rest_framework import viewsets, mixins
 from involvement.serializers.application_serializer import ApplicationSerializer
 from rest_framework.permissions import IsAuthenticated
 from involvement.models.application import Application
+from involvement.customPermissions import OwnApplicationPermission
 
 #Role view
-class ApplicationViewSet(viewsets.ReadOnlyModelViewSet):
+class ApplicationViewSet(viewsets.ModelViewSet):
     serializer_class = ApplicationSerializer
-    permission_classes = [IsAuthenticated]
+    permission_classes = [IsAuthenticated, OwnApplicationPermission]
 
     def get_queryset(self):
         user = self.request.user
         queryset = Application.objects.filter(applicant=user)
         return queryset
+
+