diff --git a/CHANGELOG.md b/CHANGELOG.md
index e8d3d26..38a18af 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -30,6 +30,8 @@ Template for next version
 
 ### Security
 
+- form hooks should only be queryable for form admins
+
 ## [1.0.2] - 2022-03-13
 
 ### Fixed
diff --git a/src/resolver/form/form.resolver.ts b/src/resolver/form/form.resolver.ts
index 9f052b7..de98149 100644
--- a/src/resolver/form/form.resolver.ts
+++ b/src/resolver/form/form.resolver.ts
@@ -43,6 +43,7 @@ export class FormResolver {
   }
 
   @ResolveField(() => [FormHookModel])
+  @Roles('admin')
   async hooks(
     @User() user: UserEntity,
     @Parent() parent: FormModel,
@@ -50,6 +51,10 @@ export class FormResolver {
   ): Promise<FormHookModel[]> {
     const form = await cache.get<FormEntity>(cache.getCacheKey(FormEntity.name, parent._id))
 
+    if (!this.formService.isAdmin(form, user)) {
+      throw new Error('no access to field')
+    }
+
     return form.hooks?.map(hook => new FormHookModel(hook)) || []
   }