diff --git a/app/controllers/api/web/push_subscriptions_controller.rb b/app/controllers/api/web/push_subscriptions_controller.rb
index ced68d39f..2edd92dbc 100644
--- a/app/controllers/api/web/push_subscriptions_controller.rb
+++ b/app/controllers/api/web/push_subscriptions_controller.rb
@@ -62,7 +62,7 @@ class Api::Web::PushSubscriptionsController < Api::Web::BaseController
   end
 
   def set_push_subscription
-    @push_subscription = ::Web::PushSubscription.find(params[:id])
+    @push_subscription = ::Web::PushSubscription.where(user_id: active_session.user_id).find(params[:id])
   end
 
   def subscription_params
diff --git a/spec/requests/api/web/push_subscriptions_spec.rb b/spec/requests/api/web/push_subscriptions_spec.rb
index 21830d1b1..88c0302f8 100644
--- a/spec/requests/api/web/push_subscriptions_spec.rb
+++ b/spec/requests/api/web/push_subscriptions_spec.rb
@@ -163,9 +163,10 @@ RSpec.describe 'API Web Push Subscriptions' do
   end
 
   describe 'PUT /api/web/push_subscriptions/:id' do
-    before { sign_in Fabricate :user }
+    before { sign_in user }
 
-    let(:subscription) { Fabricate :web_push_subscription }
+    let(:user) { Fabricate(:user) }
+    let(:subscription) { Fabricate(:web_push_subscription, user: user) }
 
     it 'gracefully handles invalid nested params' do
       put api_web_push_subscription_path(subscription), params: { data: 'invalid' }