diff --git a/src/common/templates/403.html b/src/common/templates/403.html
new file mode 100644
index 0000000..0512cd6
--- /dev/null
+++ b/src/common/templates/403.html
@@ -0,0 +1,5 @@
+{% extends "common/base.html" %}
+{% block content %}
+    <h1>Permission denied</h1>
+    <p>You're not allowed to access this page.</p>
+{% endblock %}
diff --git a/src/common/templates/common/navbar.html b/src/common/templates/common/navbar.html
index 654f20b..efd70a8 100644
--- a/src/common/templates/common/navbar.html
+++ b/src/common/templates/common/navbar.html
@@ -6,12 +6,12 @@
         </button>
         <div class="collapse navbar-collapse" id="navbarSupportedContent">
             <ul class="navbar-nav me-auto mb-2 mb-lg-0">
-                {% if perms.purchase.can_view_basket %}
+                {% if perms.purchase.view_basket %}
                     <li class="nav-item">
                         <a href="{% url "purchase:list" %}" class="nav-link">Baskets</a>
                     </li>
                 {% endif %}
-                {% if perms.purchase.can_add_basket %}
+                {% if perms.purchase.add_basket %}
                     <li class="nav-item">
                         <a href="{% url "purchase:new" %}" class="nav-link">New basket</a>
                     </li>
diff --git a/src/purchase/templates/purchase/basket_list.html b/src/purchase/templates/purchase/basket_list.html
index b03ab92..a29d38b 100644
--- a/src/purchase/templates/purchase/basket_list.html
+++ b/src/purchase/templates/purchase/basket_list.html
@@ -12,8 +12,12 @@
                             {{ basket.price_display }}<br>
                             {{ basket.payment_method }}
                         </p>
-                        <a href="{% url "purchase:update" basket.id %}" class="btn btn-sm btn-primary">Edit</a>
-                        <a href="{% url "purchase:delete" basket.id %}" class="btn btn-sm btn-danger">Delete</a>
+                        {% if perms.purchase.change_basket %}
+                            <a href="{% url "purchase:update" basket.id %}" class="btn btn-sm btn-primary">Edit</a>
+                        {% endif %}
+                        {% if perms.purchase.delete_basket %}
+                            <a href="{% url "purchase:delete" basket.id %}" class="btn btn-sm btn-danger">Delete</a>
+                        {% endif %}
                     </div>
                 </div>
             </div>
diff --git a/src/purchase/views.py b/src/purchase/views.py
index ac0b8c4..b356ac0 100644
--- a/src/purchase/views.py
+++ b/src/purchase/views.py
@@ -17,6 +17,12 @@ class NewBasketView(ProtectedViewsMixin, SuccessMessageMixin, CreateView):
     form_class = BasketForm
     success_message = "Successfully created basket."
 
+    def get_success_url(self):
+        if self.request.user.has_perm("purchase.change_basket"):
+            return super().get_success_url()
+        else:
+            return reverse("purchase:new")
+
 
 class UpdateBasketView(ProtectedViewsMixin, SuccessMessageMixin, UpdateView):
     permission_required = ["purchase.change_basket", "purchase.view_basket"]
