diff --git a/refunding/templates/refunding/payments.html b/refunding/templates/refunding/payments.html
index fd9b786..91be5d6 100644
--- a/refunding/templates/refunding/payments.html
+++ b/refunding/templates/refunding/payments.html
@@ -4,7 +4,7 @@
 {% block content %}
     <h1>
         {% block title %}Payments to refund{% endblock %}
-        {% if user.is_authenticated %}
+        {% if user.is_authenticated and perms.refunding.add_payment %}
             <div class="btn-group pull-right">
                 <a class="btn btn-success" href="{% url 'new_payment' %}">
                     <span class="glyphicon glyphicon-plus"></span>
diff --git a/refunding/templates/refunding/refunds.html b/refunding/templates/refunding/refunds.html
index 44976bc..d7befb0 100644
--- a/refunding/templates/refunding/refunds.html
+++ b/refunding/templates/refunding/refunds.html
@@ -4,7 +4,7 @@
 {% block content %}
     <h1>
         {% block title %}Latest refunds{% endblock %}
-        {% if user.is_authenticated %}
+        {% if user.is_authenticated and perms.refunding.add_refund %}
             <div class="btn-group pull-right">
                 <a class="btn btn-success" href="{% url 'new_refund' %}">
                     <span class="glyphicon glyphicon-plus"></span>
diff --git a/refunding/views.py b/refunding/views.py
index 69580e8..c0ad30c 100644
--- a/refunding/views.py
+++ b/refunding/views.py
@@ -1,4 +1,4 @@
-from django.contrib.auth.decorators import login_required
+from django.contrib.auth.decorators import login_required, permission_required
 from django.db.models import Sum
 from django.shortcuts import render, redirect, get_object_or_404
 from refunding.forms import RefundFormPublic, PaymentForm
@@ -33,6 +33,7 @@ def latest_refunds(request):
 
 
 @login_required
+@permission_required('refunding.add_refund')
 def new_refund(request):
     if request.method == 'POST':
         form = RefundFormPublic(request.POST)
@@ -48,11 +49,12 @@ def new_refund(request):
         'form': form,
         'title': 'New refund'
     }
+
     return render(request, "refunding/refund_payment_detail.html", context)
 
 
-
 @login_required
+@permission_required('refunding.add_payment')
 def new_payment(request):
     if request.method == 'POST':
         form = PaymentForm(request.POST)
@@ -68,12 +70,15 @@ def new_payment(request):
         'form': form,
         'title': 'New payment'
     }
+
     return render(request, "refunding/refund_payment_detail.html", context)
 
 
 @login_required
+@permission_required('refunding.change_refund')
 def refund_edit(request, pk):
     refund = get_object_or_404(Refund, pk=pk)
+
     if request.method == 'POST':
         form = RefundFormPublic(request.POST, instance=refund)
         if form.is_valid():
@@ -83,8 +88,10 @@ def refund_edit(request, pk):
             return redirect('latest_refunds')
     else:
         form = RefundFormPublic(instance=refund)
+
     context = {
         'form': form,
         'title': 'Edit refund'
     }
+
     return render(request, 'refunding/refund_payment_detail.html', context)
diff --git a/refunds/settings.py b/refunds/settings.py
index e9f6b66..74915ba 100644
--- a/refunds/settings.py
+++ b/refunds/settings.py
@@ -14,6 +14,7 @@ import ast
 
 import dj_database_url
 import os
+from django.contrib import messages
 
 # Build paths inside the project like this: os.path.join(BASE_DIR, ...)
 BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
@@ -161,3 +162,7 @@ LOGOUT_URL = 'auth_logout'
 LOGIN_REDIRECT_URL = 'home'
 
 CRISPY_TEMPLATE_PACK = 'bootstrap3'
+
+MESSAGE_TAGS = {
+    messages.ERROR: 'danger'
+}
diff --git a/templates/base.html b/templates/base.html
index c062498..5095e55 100644
--- a/templates/base.html
+++ b/templates/base.html
@@ -27,6 +27,15 @@
 {% include 'navbar.html' %}
 
 <div class="container">
+    {% for message in messages %}
+        <div class="alert alert-dismissible alert-{{ message.tags }}" role="alert">
+            <button type="button" class="close" data-dismiss="alert" aria-label="Close">
+                <span aria-hidden="true">&times;</span>
+            </button>
+            {{ message }}
+        </div>
+    {% endfor %}
+
     {% block content %}
     {% endblock %}
 </div>