diff --git a/website/pizzas/admin.py b/website/pizzas/admin.py
index c172de59f271a016c6cbe723412679c538d0f790..7f90bbdfaaed5ffa847685bd7bd49c58a628b9c2 100644
--- a/website/pizzas/admin.py
+++ b/website/pizzas/admin.py
@@ -2,15 +2,14 @@ from django.conf import settings
 from django.contrib import admin
 from django.core.exceptions import PermissionDenied
 from django.urls import reverse, path
-from django.utils import timezone
 from django.utils.html import format_html
 from django.utils.translation import ugettext_lazy as _
 
+from events import services
+from events.services import is_organiser
 from pizzas import admin_views
 from utils.admin import DoNextModelAdmin
 from .models import Order, PizzaEvent, Product
-from events.models import Event
-from events.services import is_organiser
 
 
 @admin.register(Product)
@@ -26,6 +25,7 @@ class PizzaEventAdmin(admin.ModelAdmin):
     date_hierarchy = 'start'
     exclude = ('end_reminder',)
     search_fields = [f'event__title_{l[0]}' for l in settings.LANGUAGES]
+    autocomplete_fields = ('event',)
 
     def notification_enabled(self, obj):
         return obj.send_notification
@@ -33,18 +33,25 @@ class PizzaEventAdmin(admin.ModelAdmin):
     notification_enabled.admin_order_field = 'send_notification'
     notification_enabled.boolean = True
 
+    def has_change_permission(self, request, obj=None):
+        """Only allow access to the change form if the user is an organiser"""
+        if (obj is not None and
+                not services.is_organiser(request.member, obj.event)):
+            return False
+        return super().has_change_permission(request, obj)
+
+    def has_delete_permission(self, request, obj=None):
+        """Only allow access to delete if the user is an organiser"""
+        if (obj is not None and
+                not services.is_organiser(request.member, obj.event)):
+            return False
+        return super().has_delete_permission(request, obj)
+
     def orders(self, obj):
         url = reverse('admin:pizzas_pizzaevent_details', kwargs={'pk': obj.pk})
         return format_html('<a href="{url}">{text}</a>',
                            url=url, text=_("Orders"))
 
-    def formfield_for_foreignkey(self, db_field, request, **kwargs):
-        if db_field.name == "event":
-            kwargs["queryset"] = Event.objects.filter(
-                end__gte=timezone.now())
-        return super(PizzaEventAdmin, self).formfield_for_foreignkey(
-            db_field, request, **kwargs)
-
     def get_urls(self):
         urls = super().get_urls()
         custom_urls = [
diff --git a/website/pizzas/admin_views.py b/website/pizzas/admin_views.py
index 6f73f1e88efd6be8c3f1dd63e840830649f613c6..44171f720316f55786575e84df980b5c7b0a611c 100644
--- a/website/pizzas/admin_views.py
+++ b/website/pizzas/admin_views.py
@@ -1,13 +1,16 @@
 """Admin views provided by the pizzas package"""
 from django.shortcuts import get_object_or_404
+from django.utils.decorators import method_decorator
 from django.utils.text import capfirst
 from django.utils.translation import ugettext_lazy as _
 from django.views.generic import TemplateView
 
+from events.decorators import organiser_only
 from payments.models import Payment
 from pizzas.models import PizzaEvent, Order
 
 
+@method_decorator(organiser_only, name='dispatch')
 class PizzaOrderSummary(TemplateView):
     template_name = 'pizzas/admin/summary.html'
     admin = None
@@ -57,6 +60,7 @@ class PizzaOrderSummary(TemplateView):
         return context
 
 
+@method_decorator(organiser_only, name='dispatch')
 class PizzaOrderDetails(TemplateView):
     template_name = 'pizzas/admin/orders.html'
     admin = None