diff --git a/utils/download.php b/utils/download.php
index 6a98dfc..26d6ee2 100755
--- a/utils/download.php
+++ b/utils/download.php
@@ -17,7 +17,7 @@
  * along with this program; if not, see <http://www.gnu.org/licenses/>.
  */
 
-require_once(dirname(__DIR__) . "/auth.php"); // sets $mysqli, $user
+require_once(dirname(__DIR__) . "/auth.php"); // sets $mysqli, $user, $config
 require_once(ROOT_DIR . "/helpers/position.php");
 
 /**
@@ -54,8 +54,14 @@ function toHMS($s) {
 }
 
 $type = isset($_REQUEST["type"]) ? $_REQUEST["type"] : "kml";
-$userId = (isset($_REQUEST["userid"]) && is_numeric($_REQUEST["userid"])) ? $_REQUEST["userid"] : NULL;
-$trackId = (isset($_REQUEST["trackid"]) && is_numeric($_REQUEST["trackid"])) ? $_REQUEST["trackid"] : NULL;
+$userId = (isset($_REQUEST["userid"]) && is_numeric($_REQUEST["userid"])) ? (int) $_REQUEST["userid"] : NULL;
+$trackId = (isset($_REQUEST["trackid"]) && is_numeric($_REQUEST["trackid"])) ? (int) $_REQUEST["trackid"] : NULL;
+
+if ($config::$require_authentication && !$user->isAdmin && $user->id !== $userId) {
+  // unauthorized
+  $mysqli->close();
+  exit();
+}
 
 if ($config::$units == "imperial") {
   $factor_kmh = 0.62; //to mph
diff --git a/utils/getpositions.php b/utils/getpositions.php
index 847a1bb..fb9753b 100755
--- a/utils/getpositions.php
+++ b/utils/getpositions.php
@@ -17,22 +17,25 @@
  * along with this program; if not, see <http://www.gnu.org/licenses/>.
  */
 
-require_once(dirname(__DIR__) . "/auth.php"); // sets $mysqli, $user
+require_once(dirname(__DIR__) . "/auth.php"); // sets $mysqli, $user, $config
 require_once(ROOT_DIR . "/helpers/position.php");
 
-$userId = (isset($_REQUEST["userid"]) && is_numeric($_REQUEST["userid"])) ? $_REQUEST["userid"] : NULL;
-$trackId = (isset($_REQUEST["trackid"]) && is_numeric($_REQUEST["trackid"])) ? $_REQUEST["trackid"] : NULL;
+$userId = (isset($_REQUEST["userid"]) && is_numeric($_REQUEST["userid"])) ? (int) $_REQUEST["userid"] : NULL;
+$trackId = (isset($_REQUEST["trackid"]) && is_numeric($_REQUEST["trackid"])) ? (int) $_REQUEST["trackid"] : NULL;
 
 if ($userId) {
-  $position = new uPosition();
   $positionsArr = [];
-  if ($trackId) {
-    // get all track data
-    $positionsArr = $position->getAll($userId, $trackId);
-  } else {
-    // get data only for latest point
-    $position->getLast($userId);
-    $positionsArr[] = $position;
+
+  if (!$config::$require_authentication || $user->isAdmin || $user->id === $userId) {
+    $position = new uPosition();
+    if ($trackId) {
+      // get all track data
+      $positionsArr = $position->getAll($userId, $trackId);
+    } else {
+      // get data only for latest point
+      $position->getLast($userId);
+      $positionsArr[] = $position;
+    }
   }
 
   header("Content-type: text/xml");
diff --git a/utils/gettracks.php b/utils/gettracks.php
index b31d98e..b2223b6 100755
--- a/utils/gettracks.php
+++ b/utils/gettracks.php
@@ -17,14 +17,18 @@
  * along with this program; if not, see <http://www.gnu.org/licenses/>.
  */
 
-require_once(dirname(__DIR__) . "/auth.php"); // sets $mysqli, $user
+require_once(dirname(__DIR__) . "/auth.php"); // sets $mysqli, $user, $config
 require_once(ROOT_DIR . "/helpers/track.php");
 
-$userId = ((isset($_REQUEST["userid"]) && is_numeric($_REQUEST["userid"])) ? $_REQUEST["userid"] : 0);
+$userId = (isset($_REQUEST["userid"]) && is_numeric($_REQUEST["userid"])) ? (int) $_REQUEST["userid"] : NULL;
 
 if ($userId) {
-  $track = new uTrack();
-  $tracksArr = $track->getAll($userId);
+  $tracksArr = [];
+
+  if (!$config::$require_authentication || $user->isAdmin || $user->id === $userId) {
+    $track = new uTrack();
+    $tracksArr = $track->getAll($userId);
+  }
 
   header("Content-type: text/xml");
   $xml = new XMLWriter();