diff --git a/core/viewsets.py b/core/viewsets.py
index 756edd55..2001618e 100644
--- a/core/viewsets.py
+++ b/core/viewsets.py
@@ -234,6 +234,15 @@ class OrderViewSet(EvibesViewSet):
         "remove_order_product": RemoveOrderProductSerializer,
     }
 
+    def get_queryset(self):
+        qs = super().get_queryset()
+        user = self.request.user
+
+        if user.has_perm("core.view_order"):
+            return qs
+
+        return qs.filter(user=user)
+
     @action(detail=False, methods=["get"], url_path="current")
     def current(self, request, *_args, **kwargs):
         if not request.user.is_authenticated: