diff --git a/server/controllers/shelf.js b/server/controllers/shelf.js
index 3c623c7..51a958e 100644
--- a/server/controllers/shelf.js
+++ b/server/controllers/shelf.js
@@ -1,9 +1,17 @@
 const fetch = require('node-fetch');
 
 class ShelfController {
-  constructor (sequelizeModels) {
-    this.model = sequelizeModels.Shelf;
-    this.itemModel = sequelizeModels.ShelfItem;
+  constructor (sequelizeModels, language) { // Language needs to be passed with every request involving books.
+    this.models = sequelizeModels;
+    this.lang = language;
+  }
+
+  static userOwnsShelf(user, shelf) {
+    return typeof user !== 'undefined' && user.id === shelf.userId;
+  }
+
+  static shelfCanBeModified(shelf) {
+    return shelf.isDeletable === true;
   }
 
   static newShelfNameIsValid (name, existingNames = []) {
@@ -32,7 +40,7 @@ class ShelfController {
 
   async createDefaultShelves (user) {
     try {
-      const defaultShelvesCreated = await this.model.bulkCreate([
+      const defaultShelvesCreated = await this.models.Shelf.bulkCreate([
         {
           userId: user.id,
           name: 'Reading',
@@ -82,17 +90,9 @@ class ShelfController {
     }
   }
   
-  async renameShelf (userId, id, name) {
+  async renameShelf (user, shelf, name) {
     try {
-      return await this.model.update({
-        name,
-      }, {
-        where: {
-          id,
-          userId,
-          isDeletable: true,  // You can only rename shelves not created by the system
-        }
-      });
+      return await shelf.update({ name });
     } catch(error) {
       return {
         error,
@@ -186,10 +186,10 @@ class ShelfController {
 
     return shelf;
   }
-
+  
   async userCanViewShelf (user, shelf) {
     // This needs work when permissions are added.
-    const userOwnsShelf = typeof user !== 'undefined' && user.id === shelf.userId;
+    const userOwnsShelf = ShelfController.userOwnsShelf(user, shelf);
     console.log('owned?', userOwnsShelf);
     console.log('isPublic?', shelf.isPublic);
     return userOwnsShelf || shelf.isPublic;
diff --git a/server/routes/shelf.js b/server/routes/shelf.js
index 426c6d9..339f6f7 100644
--- a/server/routes/shelf.js
+++ b/server/routes/shelf.js
@@ -104,7 +104,7 @@ async function routes(fastify, options) {
 
   fastify.post('/api/shelf/rename', async (request, reply) => {
     if (!request.isLoggedInUser) {
-      return reply.code(400).send({
+      return reply.code(401).send({
         error: true,
         message: 'api.not_logged_in',
       });
@@ -136,9 +136,25 @@ async function routes(fastify, options) {
       return reply.code(400).send(shelfNameIsValid);
     }
 
+    const shelf = await fastify.models.Shelf.findByPk(request.body.shelfId);
+
+    if (!ShelfController.userOwnsShelf(request.user, shelf)) {
+      return reply.code(403).send({
+        error: true,
+        message: 'api.shelf.not_owner',
+      });
+    }
+    
+    if (!ShelfController.shelfCanBeModified(shelf)) {
+      return reply.code(403).send({
+        error: true,
+        message: 'api.shelf.not_editable',
+      });
+    }
+
     const shelfController = new ShelfController(fastify.models);
 
-    const newShelf = shelfController.renameShelf(request.user, request.body.shelfId, request.body.shelfName);
+    const newShelf = shelfController.renameShelf(request.user, shelf, request.body.shelfName);
     if (typeof newShelf.error !== 'undefined' && newShelf.error !== false) {
       newShelf.message = 'api.shelf.rename.fail';
       return reply.code(400).send(newShelf);