diff --git a/src/routes/(token-based)/list/[vorgang]/+page.server.ts b/src/routes/(token-based)/list/[vorgang]/+page.server.ts
new file mode 100644
index 0000000..72c55fe
--- /dev/null
+++ b/src/routes/(token-based)/list/[vorgang]/+page.server.ts
@@ -0,0 +1,23 @@
+import { getCrimesListByToken, getVorgaenge } from '$lib/server/vorgangService.js';
+import type { PageServerLoad } from './$types';
+
+export const load: PageServerLoad = async ({ params, url }) => {
+	const vorgangList = getVorgaenge();
+	const vorgangToken = params.vorgang;
+	const crimesList = await getCrimesListByToken(vorgangToken);
+	const vorgang = vorgangList.find((v) => v.vorgangToken === vorgangToken); //vorgang sollte ein eigener Typ werden, und dann kann man es hier vernünftig typisieren
+	if (!vorgang || !crimesList) {
+		throw new Error(`Fehlgeschlagen, es wurden keine Daten zum token gefunden`);
+	}
+
+	//Variabeln für NameItemEditor
+	const crimeNames: string[] = crimesList.map((l) => l.name);
+
+	return {
+		vorgang,
+		vorgangList,
+		crimesList,
+		url,
+		crimeNames
+	};
+}
diff --git a/src/routes/(token-based)/list/[vorgang]/+page.ts b/src/routes/(token-based)/list/[vorgang]/+page.ts
deleted file mode 100644
index fdc38b8..0000000
--- a/src/routes/(token-based)/list/[vorgang]/+page.ts
+++ /dev/null
@@ -1,25 +0,0 @@
-import { API_ROUTES } from '../../../index.js';
-
-export async function load({fetch, params, url}){
-    const  vorgangResponse = await fetch(API_ROUTES.LIST);
-     const vorgangList = await vorgangResponse.json()
-     const vorgangToken = params.vorgang;
-         const crimesListResponse = await fetch(API_ROUTES.VORGANG(vorgangToken))
-         const crimesList = await crimesListResponse.json();
-    const vorgang = vorgangList.find(v => v.vorgangToken === vorgangToken); //vorgang sollte ein eigener Typ werden, und dann kann man es hier vernünftig typisieren
-    if(!vorgang || !crimesList){
-  	throw new Error(`Fehlgeschlagen, es wurden keine Daten zum token gefunden`);
-    }
-
-	//Variabeln für NameItemEditor
-	const crimeNames: string[] = crimesList.map((l) => l.name);
-
-
-     return {
-      vorgang,
-      vorgangList,
-      crimesList,
-      url,
-      crimeNames
-     }
-}
diff --git a/src/routes/api/list/+server.ts b/src/routes/api/list/+server.ts
index b2c542d..b8fa28a 100644
--- a/src/routes/api/list/+server.ts
+++ b/src/routes/api/list/+server.ts
@@ -1,7 +1,10 @@
 import { getVorgaenge } from '$lib/server/vorgangService';
+import { json } from '@sveltejs/kit';
 
 export async function GET({ locals }) {
-
+	if (!locals.user) {
+		return json({ error: 'Unauthorized' }, { status: 401 });
+	}
 	const vorgaenge = getVorgaenge();
 
 	return new Response(JSON.stringify(vorgaenge), {
diff --git a/src/routes/api/list/[vorgang]/+server.ts b/src/routes/api/list/[vorgang]/+server.ts
index d3c0534..4f4155a 100644
--- a/src/routes/api/list/[vorgang]/+server.ts
+++ b/src/routes/api/list/[vorgang]/+server.ts
@@ -1,11 +1,15 @@
 import { BUCKET, client } from '$lib/minio';
+import { json } from '@sveltejs/kit';
 import {
 	deleteVorgangByToken,
 	getCrimesListByToken,
 	vorgangNameExists
 } from '$lib/server/vorgangService';
 
-export async function DELETE({ params }) {
+export async function DELETE({ locals, params }) {
+	if (!locals.user) {
+		return json({ error: 'Unauthorized' }, { status: 401 });
+	}
 	const vorgangToken = params.vorgang;
 
 	const object_list = await new Promise((resolve, reject) => {
@@ -29,7 +33,10 @@ export async function DELETE({ params }) {
 	return new Response(null, { status: 204 });
 }
 
-export async function HEAD({ params }) {
+export async function HEAD({ locals, params }) {
+	if (!locals.user) {
+		return json({ error: 'Unauthorized' }, { status: 401 });
+	}
 	try {
 		const vorgangName = params.vorgang;
 		const existing = vorgangNameExists(vorgangName);
@@ -44,7 +51,9 @@ export async function HEAD({ params }) {
 }
 
 export async function GET({ params, locals }) {
-
+	if (!locals.user) {
+		return json({ error: 'Unauthorized' }, { status: 401 });
+	}
 	try {
 		const vorgangToken = params.vorgang;
 		const crimesList = await getCrimesListByToken(vorgangToken);
diff --git a/src/routes/api/list/[vorgang]/[tatort]/+server.ts b/src/routes/api/list/[vorgang]/[tatort]/+server.ts
index eb9473f..c6d7036 100644
--- a/src/routes/api/list/[vorgang]/[tatort]/+server.ts
+++ b/src/routes/api/list/[vorgang]/[tatort]/+server.ts
@@ -1,7 +1,10 @@
 import { BUCKET, client } from '$lib/minio';
 import { json } from '@sveltejs/kit';
 
-export async function GET() {
+export async function GET({ locals }) {
+	if (!locals.user) {
+		return json({ error: 'Unauthorized' }, { status: 401 });
+	}
 	const stream = client.listObjectsV2(BUCKET, '', true);
 	const result = new ReadableStream({
 		start(controller) {
@@ -24,7 +27,10 @@ export async function GET() {
 	});
 }
 
-export async function DELETE({ request }: { request: Request }) {
+export async function DELETE({ locals, request }) {
+	if (!locals.user) {
+		return json({ error: 'Unauthorized' }, { status: 401 });
+	}
 	const url_fragments = request.url.split('/');
 	const item = url_fragments.at(-1);
 	const vorgang = url_fragments.at(-2);
diff --git a/tests/api/List.test.ts b/tests/api/List.test.ts
index 39c868c..d7b5ce4 100644
--- a/tests/api/List.test.ts
+++ b/tests/api/List.test.ts
@@ -14,7 +14,7 @@ const event = {
 };
 
 describe('API-Endpoints: list', () => {
-	test.skip('Unerlaubter Zugriff', async () => {
+	test('Unerlaubter Zugriff', async () => {
 		const event = {
 			locals: {
 				user: null
diff --git a/tests/api/ListVorgang.test.ts b/tests/api/ListVorgang.test.ts
index 812ee36..ae25cfc 100644
--- a/tests/api/ListVorgang.test.ts
+++ b/tests/api/ListVorgang.test.ts
@@ -31,7 +31,7 @@ const MockEvent = {
 };
 
 describe('API-Endpoints: list/[vorgang]', () => {
-	test.skip('Unerlaubter Zugriff', async () => {
+	test('Unerlaubter Zugriff', async () => {
 		const event = {
 			locals: {
 				user: null
diff --git a/tests/api/ListVorgangTatort.test.ts b/tests/api/ListVorgangTatort.test.ts
index a870aa2..b49b0e1 100644
--- a/tests/api/ListVorgangTatort.test.ts
+++ b/tests/api/ListVorgangTatort.test.ts
@@ -1,6 +1,7 @@
 import { describe, test, expect, vi } from 'vitest';
 import { DELETE, PUT } from '$root/routes/api/list/[vorgang]/[tatort]/+server';
 import { BUCKET, client } from '$lib/minio';
+import { baseData } from '../fixtures';
 
 // Mock data and methods
 const fakeVorgangToken = `c399423a-ba37-4fe1-bbdf-80e5881168ff`;
@@ -22,7 +23,8 @@ vi.mock('$lib/minio', () => ({
 describe('API-Endpoints: list/[vorgang]/[tatort]', () => {
 	test('Löschen von Tatorten', async () => {
 		const request = new Request(fakeCrimeAPIURL);
-		const response = await DELETE({ request });
+		const locals = { user: baseData.user }
+		const response = await DELETE({ locals, request });
 
 		expect(client.removeObject).toHaveBeenCalledWith(BUCKET, fakeCrimePath);
 
@@ -40,11 +42,12 @@ describe('API-Endpoints: list/[vorgang]/[tatort]', () => {
 			})
 		});
 		const params = { vorgang: fakeVorgangToken };
+		const locals = { user: baseData.user }
 
 		// Mock Datei nicht gefunden
 		client.statObject.mockRejectedValueOnce(new Error('NotFound'));
 
-		const response = await PUT({ params, request });
+		const response = await PUT({ locals, params, request });
 
 		const fakeCrimeNewPath = `${fakeVorgangToken}/${fakeCrimeNewName}`;
 		expect(client.statObject).toHaveBeenCalledWith(BUCKET, fakeCrimeNewPath);
@@ -62,9 +65,10 @@ describe('API-Endpoints: list/[vorgang]/[tatort]', () => {
 				newName: ''
 			})
 		});
+		const locals = { user: baseData.user }
 		const params = { vorgang: fakeVorgangToken };
 
-		const response = await PUT({ params, request });
+		const response = await PUT({ locals, params, request });
 		expect(response.status).toBe(400);
 	});
 
@@ -77,11 +81,12 @@ describe('API-Endpoints: list/[vorgang]/[tatort]', () => {
 			})
 		});
 		const params = { vorgang: fakeVorgangToken };
+		const locals = { user: baseData.user }
 
 		// Datei existiert bereits
 		client.statObject.mockResolvedValueOnce({});
 
-		const response = await PUT({ params, request });
+		const response = await PUT({ locals, params, request });
 
 		expect(response.status).toBe(400);
 
diff --git a/tests/api/VorgangVorgangPIN.test.ts b/tests/api/VorgangVorgangPIN.test.ts
index 8d39143..4c11d3a 100644
--- a/tests/api/VorgangVorgangPIN.test.ts
+++ b/tests/api/VorgangVorgangPIN.test.ts
@@ -1,9 +1,11 @@
 import { describe, test, expect, vi } from 'vitest';
 import { GET } from '$root/routes/api/vorgang/[vorgang]/vorgangPIN/+server';
 import { db } from '$lib/server/dbService';
+import { baseData } from '../fixtures';
 
 const mockEvent = {
-	params: { vorgang: '123' }
+	params: { vorgang: '123' },
+	locals: { user: baseData.user }
 };
 
 vi.mock('$lib/server/dbService', () => ({