diff --git a/parser.py b/parser.py
index edebf90512c34df1bf3fc5226e3fdce569693505..ec8dd56539ab33af557e7ed4cc752de4722ab4f7 100644
--- a/parser.py
+++ b/parser.py
@@ -193,16 +193,24 @@ class Tag:
             if self.name == "url":
                 return r"\url{{{}}}".format(self.values[0])
             elif self.name == "todo":
+                if not show_private:
+                    return ""
                 return self.todo.render_latex(current_protocol=protocol)
             return r"\textbf{{{}:}} {}".format(escape_tex(self.name.capitalize()), escape_tex(self.values[0]))
         elif render_type == RenderType.plaintext:
             if self.name == "url":
                 return self.values[0]
+            elif self.name == "todo":
+                if not show_private:
+                    return ""
+                return self.values[0]
             return "{}: {}".format(self.name.capitalize(), self.values[0])
         elif render_type == RenderType.wikitext:
             if self.name == "url":
                 return "[{0} {0}]".format(self.values[0])
             elif self.name == "todo":
+                if not show_private:
+                    return ""
                 return self.todo.render_wikitext(current_protocol=protocol)
             return "'''{}:''' {}".format(self.name.capitalize(), self.values[0])
         else:
@@ -303,6 +311,8 @@ class Fork(Element):
 
     def render(self, render_type, show_private, level, protocol=None):
         name_line = self.name if self.name is not None and len(self.name) > 0 else ""
+        if level == 0 and self.name == "Todos" and not show_private:
+            return ""
         if render_type == RenderType.latex:
             begin_line = r"\begin{itemize}"
             end_line = r"\end{itemize}"
diff --git a/server.py b/server.py
index 827e063c8ed0645b0ba23d87174e23b0c993a9de..029eedacf61ae3623f7aab88d81022db52aa7569 100755
--- a/server.py
+++ b/server.py
@@ -687,8 +687,8 @@ def _get_page():
         return 0
 
 @app.route("/todos/list")
+@login_required
 def list_todos():
-    is_logged_in = check_login()
     user = current_user()
     protocoltype = None
     protocoltype_id = None
diff --git a/templates/layout.html b/templates/layout.html
index 57520e3b5b57197f14228d3a1b6b4229969bfbe9..d06902a818950c898ec7631c281d65933e78ca7e 100644
--- a/templates/layout.html
+++ b/templates/layout.html
@@ -30,7 +30,9 @@
                 <li><a href="{{url_for("new_protocol")}}">Neues Protokoll</a></li>
                 {% endif %}
                 <li><a href="{{url_for("list_protocols")}}">Protokolle</a></li>
+                {% if check_login() %}
                 <li><a href="{{url_for("list_todos")}}">Todos</a></li>
+                {% endif %}
                 <li><a href="{{url_for("list_decisions")}}">Beschlüsse</a></li>
                 {% if check_login() %}
                 <li><a href="{{url_for("list_types")}}">Typen</a></li>
diff --git a/templates/protocol-show.html b/templates/protocol-show.html
index af65a7b6bd238982e1c74e63571c0ef4ee06d49d..d9f75865ece24925ae32624a490f8c8e1cc9bc96 100644
--- a/templates/protocol-show.html
+++ b/templates/protocol-show.html
@@ -68,7 +68,7 @@
             {% endif %}
         </div>
         <div id="right-column" class="col-lg-6">
-            {% if protocol.is_done() %}
+            {% if protocol.is_done() and has_public_view_right and logged_in %}
                 <h3>Todos dieser Sitzung <a href="{{url_for("list_todos")}}">Aktuelle Todos</a></h3>
                 <ul>
                     {% if protocol.get_originating_todos()|length > 0 %}