diff --git a/finances/models.py b/finances/models.py
index cd3c7012e4952a24a52da731b5afcb61a6db77a1..3776c57fdd9d894b179f89858e86b911a5449895 100644
--- a/finances/models.py
+++ b/finances/models.py
@@ -71,6 +71,12 @@ class SubsidyAttachment(models.Model):
         if self.subsidy:
             return reverse('finances:subsidy_attachment', args=(self.subsidy.id, self.id))
 
+    def visible_to_user(self, current_user):
+        if self.publicly_visible or current_user.has_perm('scipost.can_manage_subsidies'):
+            return True
+        if self.subsidy.organization.contactrole_set.filter(contact__user=current_user).exists():
+            return True
+        return False
 
 
 ###########################
diff --git a/finances/views.py b/finances/views.py
index 3cd4089fdfae2a7f8f20616ab5acd389f413b278..544e7fa0b9697748a40383d5718c6694669f1390 100644
--- a/finances/views.py
+++ b/finances/views.py
@@ -7,6 +7,7 @@ import mimetypes
 from django.contrib import messages
 from django.contrib.auth.decorators import permission_required
 from django.contrib.auth.mixins import LoginRequiredMixin
+from django.core.exceptions import PermissionDenied
 from django.core.urlresolvers import reverse_lazy
 from django.http import Http404, HttpResponse
 from django.shortcuts import get_object_or_404, render
@@ -83,7 +84,8 @@ class SubsidyDetailView(DetailView):
 def subsidy_attachment(request, subsidy_id, attachment_id):
     attachment = get_object_or_404(SubsidyAttachment.objects,
                                    subsidy__id=subsidy_id, id=attachment_id)
-
+    if not attachment.visible_to_user(request.user):
+        return PermissionDenied
     content_type, encoding = mimetypes.guess_type(attachment.attachment.path)
     content_type = content_type or 'application/octet-stream'
     response = HttpResponse(attachment.attachment.read(), content_type=content_type)