diff --git a/app/Http/Controllers/Backstage/PublishedConcertsController.php b/app/Http/Controllers/Backstage/PublishedConcertsController.php
index 6968cd8..8ea2a6e 100644
--- a/app/Http/Controllers/Backstage/PublishedConcertsController.php
+++ b/app/Http/Controllers/Backstage/PublishedConcertsController.php
@@ -6,18 +6,20 @@ use App\Concert;
 use Carbon\Carbon;
 use Illuminate\Http\Request;
 use App\Http\Controllers\Controller;
+use Illuminate\Support\Facades\Auth;
 
 class PublishedConcertsController extends Controller
 {
     public function store()
     {
-        $concert = Concert::find(request('concert_id'));
+        $concert = Auth::user()->concerts()->findOrFail(request('concert_id'));
 
         if ($concert->isPublished()) {
             abort(422);
         }
 
         $concert->publish();
+
         return redirect()->route('backstage.concerts.index');
     }
 }
diff --git a/routes/web.php b/routes/web.php
index bf67966..d090647 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -25,6 +25,6 @@ Route::group(['middleware' => 'auth', 'prefix' => 'backstage', 'namespace' => 'B
     Route::post('/concerts', 'ConcertsController@store');
     Route::get('/concerts/{id}/edit', 'ConcertsController@edit')->name('backstage.concerts.edit');
     Route::patch('/concerts/{id}', 'ConcertsController@update')->name('backstage.concerts.update');
+    Route::post('/published-concerts', 'PublishedConcertsController@store');
 });
 
-Route::post('/backstage/published-concerts', 'Backstage\PublishedConcertsController@store');
diff --git a/tests/Feature/Backstage/PublishConcertTest.php b/tests/Feature/Backstage/PublishConcertTest.php
index 14d5566..247e40a 100644
--- a/tests/Feature/Backstage/PublishConcertTest.php
+++ b/tests/Feature/Backstage/PublishConcertTest.php
@@ -48,4 +48,53 @@ class PublishConcertTest extends TestCase
         $response->assertStatus(422);
         $this->assertEquals(3, $concert->fresh()->ticketsRemaining());
     }
+
+    /** @test */
+    function a_promoter_cannot_publish_other_concerts()
+    {
+        $user = factory(User::class)->create();
+        $otherUser = factory(User::class)->create();
+        $concert = factory(Concert::class)->states('unpublished')->create([
+            'user_id' => $otherUser->id,
+            'ticket_quantity' => 3,
+        ]);
+
+        $response = $this->actingAs($user)->post('/backstage/published-concerts', [
+            'concert_id' => $concert->id,
+        ]);
+
+        $response->assertStatus(404);
+        $concert = $concert->fresh();
+        $this->assertFalse($concert->isPublished());
+        $this->assertEquals(0, $concert->ticketsRemaining());
+    }
+
+    /** @test */
+    function a_guest_cannot_publish_concerts()
+    {
+        $concert = factory(Concert::class)->states('unpublished')->create([
+            'ticket_quantity' => 3,
+        ]);
+
+        $response = $this->post('/backstage/published-concerts', [
+            'concert_id' => $concert->id,
+        ]);
+
+        $response->assertRedirect('/login');
+        $concert = $concert->fresh();
+        $this->assertFalse($concert->isPublished());
+        $this->assertEquals(0, $concert->ticketsRemaining());
+    }
+
+    /** @test */
+    function concerts_that_do_not_exist_cannot_be_published()
+    {
+        $user = factory(User::class)->create();
+
+        $response = $this->actingAs($user)->post('/backstage/published-concerts', [
+            'concert_id' => 999,
+        ]);
+
+        $response->assertStatus(404);
+    }
 }