diff --git a/controllers/tourController.js b/controllers/tourController.js
index a0355a9df00a63006ced449b1cd36e6029fb12e1..adc47a7e7276b33bc275fb6a74e9106f40f1dac8 100644
--- a/controllers/tourController.js
+++ b/controllers/tourController.js
@@ -206,6 +206,10 @@ exports.getEditTour = async (req, res) => {
     console.log("Tour data:", tour);
     console.log("Session user ID:", req.session.userId);
 
+    if (tour.userId !== req.session.userId) {
+      return res.status(403).send('คุณไม่มีสิทธิ์แก้ไขทัวร์นี้');
+    }
+    
     if (!tour) {
       return res.status(404).send('ไม่พบข้อมูลทัวร์');
     }
diff --git a/models/tourModel.js b/models/tourModel.js
index aa8f8dd2c4b364b715371967406c828dab98c67c..2485742698233e966696006a807bc35de2b7debd 100644
--- a/models/tourModel.js
+++ b/models/tourModel.js
@@ -78,7 +78,7 @@ class Tour {
   
     // ดึงทัวร์ตาม ID
     static async getTourById(tourId) {
-      const query = 'SELECT id, name, description, price, user_Id FROM tours WHERE id = ?';
+      const query = 'SELECT id, name, description, price, userId FROM tours WHERE id = ?';
       
       try {
         const [results] = await pool.execute(query, [tourId]);