diff --git a/Controller/NotesController.php b/Controller/NotesController.php
index 3194e3b..0bbce1e 100644
--- a/Controller/NotesController.php
+++ b/Controller/NotesController.php
@@ -20,9 +20,11 @@ class NotesController
     {
         $sortBy = $_GET['sort_by'] ?? 'updated_at';
         $sortOrder = strtoupper($_GET['sort_order'] ?? 'DESC');
-        
+        $isAdmin = false;
+        $userid = 2; //$_SESSION['user_id'];
+
         $this->view->setVars([
-            "notes" => $this->notesModel->selectNotesForUser(2, $sortBy, $sortOrder) //$_SESSION['user_id']
+            "notes" => $this->notesModel->selectNotesForUser($userid, $isAdmin, $sortBy, $sortOrder)
         ]);
     }
 
diff --git a/Model/NotesModel.php b/Model/NotesModel.php
index e6a1d65..b77ac92 100644
--- a/Model/NotesModel.php
+++ b/Model/NotesModel.php
@@ -2,36 +2,45 @@
 
 namespace ppa\Model;
 use ppa\Model\ParticipantModel;
-use ppb\Library\Msg;
 use PDOException;
 
 class NotesModel extends Database
 {
-    public function selectNotesForUser($userid, $sortBy = 'updated_at', $sortOrder = 'DESC')
+    public function selectNotesForUser($userid, $isAdmin = false, $sortBy = 'updated_at', $sortOrder = 'DESC')
     {
         $pdo = $this->linkDB();
-		
-		$erg=array();
-		$params=array();
+        $erg = array();
 
-        $sql = "SELECT n.*, u.username AS owner_username 
-            FROM notes n 
-            JOIN users u ON n.user_id = u.id 
-            ORDER BY :sortBy :sortOrder";
-
-        $params[':sortBy']=$sortBy;
-        $params[':sortOrder']=$sortOrder;
-
-        try {
-			$stmt=$pdo->prepare($sql);
-			$stmt->execute($params);
-		} catch (PDOException $e) {
-			new Msg(true, null, $e);
-			return false;
-		}
+        // Whitelist of allowed sort columns
+        $allowedSortColumns = ['id', 'title', 'owner_username', 'updated_at'];
+        $allowedSortOrders = ['ASC', 'DESC'];
         
-        $erg=$stmt->fetchAll(\PDO::FETCH_ASSOC);
-
-		return $erg;
+        $sortBy = in_array($sortBy, $allowedSortColumns) ? $sortBy : 'updated_at';
+        $sortOrder = in_array(strtoupper($sortOrder), $allowedSortOrders) ? strtoupper($sortOrder) : 'DESC';
+        
+        try {
+            if ($isAdmin) {
+                $sql = "SELECT n.*, u.username AS owner_username 
+                    FROM notes n 
+                    JOIN users u ON n.user_id = u.id 
+                    ORDER BY {$sortBy} {$sortOrder}";
+                $stmt = $pdo->prepare($sql);
+                $stmt->execute();
+            } else {
+                $sql = "SELECT id, title, content, created_at, updated_at 
+                    FROM notes 
+                    WHERE user_id = :userid
+                    ORDER BY {$sortBy} {$sortOrder}";
+                $stmt = $pdo->prepare($sql);
+                $stmt->execute(['userid' => $userid]);
+            }
+            
+            $erg = $stmt->fetchAll(\PDO::FETCH_ASSOC);
+            return $erg;
+            
+        } catch (PDOException $e) {
+            error_log("Database Error in selectNotesForUser: " . $e->getMessage());
+            return false;
+        }
     }
 }
\ No newline at end of file
diff --git a/Views/Notes/showNotes.phtml b/Views/Notes/showNotes.phtml
index 1cfa9d5..0a03519 100644
--- a/Views/Notes/showNotes.phtml
+++ b/Views/Notes/showNotes.phtml
@@ -13,7 +13,7 @@
     }
     
     function isAdmin() {
-        return isLoggedIn() && isset($_SESSION['role']) && $_SESSION['role'] === 'admin';
+        return false;// isLoggedIn() && isset($_SESSION['role']) && $_SESSION['role'] === 'admin';
     }
     function sanitize($data, $flags = ENT_QUOTES, $encoding = 'UTF-8') {
         return htmlspecialchars((string)$data, $flags, $encoding);