diff --git a/inc/ui/principal-edit.php b/inc/ui/principal-edit.php
index c80efecc..603fd1e1 100644
--- a/inc/ui/principal-edit.php
+++ b/inc/ui/principal-edit.php
@@ -67,7 +67,7 @@ function handle_subaction( $subaction ) {
       if ($can_write_principal) {
         if ( $session->CheckConfirmationHash('GET', 'confirm') ) {
           dbg_error_log('admin-principal-edit',':handle_action: Allowed to delete collection %s for principal %d', $_GET['collection_id'], $id );
-          $qry = new AwlQuery('DELETE FROM collection WHERE collection_id=?;', $_GET['collection_id'] );
+          $qry = new AwlQuery('DELETE FROM collection WHERE collection_id=:collection_id AND user_no = (select user_no from principal where principal_id = :principal_id )', array( ':collection_id' => intval($_GET['collection_id']), ':principal_id' => $id));
           if ( $qry->Exec() ) {
             $c->messages[] = i18n('Collection deleted.');
             return true;
@@ -119,7 +119,7 @@ function handle_subaction( $subaction ) {
       if ($can_write_principal) {
         if ( $session->CheckConfirmationHash('GET', 'confirm') ) {
           dbg_error_log('admin-principal-edit',':handle_action: Allowed to delete ticket "%s" for principal %d', $_GET['ticket_id'], $id );
-          $qry = new AwlQuery('DELETE FROM access_ticket WHERE ticket_id=?;', $_GET['ticket_id'] );
+          $qry = new AwlQuery('DELETE FROM access_ticket WHERE ticket_id=:ticket_id AND dav_owner_id = :dav_owner_id', array( ':ticket_id' => $_GET['ticket_id'], ':dav_owner_id' => $id));
           if ( $qry->Exec() ) {
             $c->messages[] = i18n('Access ticket deleted.');
             return true;
@@ -146,7 +146,7 @@ function handle_subaction( $subaction ) {
       if ($can_write_principal) {
         if ( $session->CheckConfirmationHash('GET', 'confirm') ) {
           dbg_error_log('admin-principal-edit',':handle_action: Allowed to delete binding "%s" for principal %d', $_GET['bind_id'], $id );
-          $qry = new AwlQuery('DELETE FROM dav_binding WHERE bind_id=?;', $_GET['bind_id'] );
+          $qry = new AwlQuery('DELETE FROM dav_binding WHERE bind_id=:bind_id AND dav_owner_id = :dav_owner_id',  array( ':bind_id' => $_GET['bind_id'], ':dav_owner_id' => $id));
           if ( $qry->Exec() ) {
             $c->messages[] = i18n('Binding deleted.');
             return true;