diff --git a/app/controllers/new_user/dossiers_controller.rb b/app/controllers/new_user/dossiers_controller.rb
index acba445b2..ab82aea32 100644
--- a/app/controllers/new_user/dossiers_controller.rb
+++ b/app/controllers/new_user/dossiers_controller.rb
@@ -1,6 +1,7 @@
 module NewUser
   class DossiersController < UserController
-    before_action :ensure_ownership!, except: [:index]
+    before_action :ensure_ownership!, except: [:index, :modifier, :update]
+    before_action :ensure_ownership_or_invitation!, only: [:modifier, :update]
 
     def attestation
       send_data(dossier.attestation.pdf.read, filename: 'attestation.pdf', type: 'application/pdf')
@@ -99,16 +100,26 @@ module NewUser
     end
 
     def dossier_with_champs
-      @dossier_with_champs ||= current_user.dossiers.with_ordered_champs.find(params[:id])
+      @dossier_with_champs ||= Dossier.with_ordered_champs.find(params[:id])
     end
 
     def ensure_ownership!
       if dossier.user_id != current_user.id
-        flash[:alert] = "Vous n'avez pas accès à ce dossier"
-        redirect_to root_path
+        forbidden!
       end
     end
 
+    def ensure_ownership_or_invitation!
+      if !dossier.owner_or_invite?(current_user)
+        forbidden!
+      end
+    end
+
+    def forbidden!
+      flash[:alert] = "Vous n'avez pas accès à ce dossier"
+      redirect_to root_path
+    end
+
     def individual_params
       params.require(:individual).permit(:gender, :nom, :prenom, :birthdate)
     end
diff --git a/spec/controllers/new_user/dossiers_controller_spec.rb b/spec/controllers/new_user/dossiers_controller_spec.rb
index 2557d79ec..d9f5154e5 100644
--- a/spec/controllers/new_user/dossiers_controller_spec.rb
+++ b/spec/controllers/new_user/dossiers_controller_spec.rb
@@ -3,44 +3,96 @@ require 'spec_helper'
 describe NewUser::DossiersController, type: :controller do
   let(:user) { create(:user) }
 
-  describe 'before_action: ensure_ownership!' do
+  describe 'before_actions: ensure_ownership, ensure_ownership_or_invitation!' do
     it 'is present' do
       before_actions = NewUser::DossiersController
         ._process_action_callbacks
         .find_all{ |process_action_callbacks| process_action_callbacks.kind == :before }
         .map(&:filter)
 
-      expect(before_actions).to include(:ensure_ownership!)
+      expect(before_actions).to include(:ensure_ownership!, :ensure_ownership_or_invitation!)
     end
   end
 
-  describe 'ensure_ownership!' do
+  shared_examples_for 'does not redirect nor flash' do
+    before { @controller.send(ensure_authorized) }
+
+    it { expect(@controller).not_to have_received(:redirect_to) }
+    it { expect(flash.alert).to eq(nil) }
+  end
+
+  shared_examples_for 'redirects and flashes' do
+    before { @controller.send(ensure_authorized) }
+
+    it { expect(@controller).to have_received(:redirect_to).with(root_path) }
+    it { expect(flash.alert).to eq("Vous n'avez pas accès à ce dossier") }
+  end
+
+  describe '#ensure_ownership!' do
     let(:user) { create(:user) }
+    let(:asked_dossier) { create(:dossier) }
+    let(:ensure_authorized) { :ensure_ownership! }
 
     before do
       @controller.params = @controller.params.merge(dossier_id: asked_dossier.id)
       expect(@controller).to receive(:current_user).and_return(user)
       allow(@controller).to receive(:redirect_to)
-
-      @controller.send(:ensure_ownership!)
     end
 
-    context 'when a user asks for its dossier' do
+    context 'when a user asks for their own dossier' do
       let(:asked_dossier) { create(:dossier, user: user) }
 
-      it 'does not redirects nor flash' do
-        expect(@controller).not_to have_received(:redirect_to)
-        expect(flash.alert).to eq(nil)
-      end
+      it_behaves_like 'does not redirect nor flash'
     end
 
     context 'when a user asks for another dossier' do
-      let(:asked_dossier) { create(:dossier) }
+      it_behaves_like 'redirects and flashes'
+    end
 
-      it 'redirects and flash' do
-        expect(@controller).to have_received(:redirect_to).with(root_path)
-        expect(flash.alert).to eq("Vous n'avez pas accès à ce dossier")
-      end
+    context 'when an invite asks for a dossier where they were invited' do
+      before { create(:invite, dossier: asked_dossier, user: user, type: 'InviteUser') }
+
+      it_behaves_like 'redirects and flashes'
+    end
+
+    context 'when an invite asks for another dossier' do
+      before { create(:invite, dossier: create(:dossier), user: user, type: 'InviteUser') }
+
+      it_behaves_like 'redirects and flashes'
+    end
+  end
+
+  describe '#ensure_ownership_or_invitation!' do
+    let(:user) { create(:user) }
+    let(:asked_dossier) { create(:dossier) }
+    let(:ensure_authorized) { :ensure_ownership_or_invitation! }
+
+    before do
+      @controller.params = @controller.params.merge(dossier_id: asked_dossier.id)
+      expect(@controller).to receive(:current_user).and_return(user)
+      allow(@controller).to receive(:redirect_to)
+    end
+
+    context 'when a user asks for their own dossier' do
+      let(:asked_dossier) { create(:dossier, user: user) }
+
+      it_behaves_like 'does not redirect nor flash'
+    end
+
+    context 'when a user asks for another dossier' do
+      it_behaves_like 'redirects and flashes'
+    end
+
+    context 'when an invite asks for a dossier where they were invited' do
+      before { create(:invite, dossier: asked_dossier, user: user, type: 'InviteUser') }
+
+      it_behaves_like 'does not redirect nor flash'
+    end
+
+    context 'when an invite asks for another dossier' do
+      before { create(:invite, dossier: create(:dossier), user: user, type: 'InviteUser') }
+
+      it_behaves_like 'redirects and flashes'
     end
   end