diff --git a/atst/domain/authz/decorator.py b/atst/domain/authz/decorator.py
index 00519308..0c1f0952 100644
--- a/atst/domain/authz/decorator.py
+++ b/atst/domain/authz/decorator.py
@@ -6,6 +6,7 @@ from . import user_can_access
 from atst.domain.portfolios import Portfolios
 from atst.domain.task_orders import TaskOrders
 from atst.domain.applications import Applications
+from atst.domain.invitations import Invitations
 from atst.domain.exceptions import UnauthorizedError
 
 
@@ -25,6 +26,10 @@ def check_access(permission, message, exception, *args, **kwargs):
         task_order = TaskOrders.get(kwargs["task_order_id"])
         access_args["portfolio"] = task_order.portfolio
 
+    if "token" in kwargs:
+        invite = Invitations._get(kwargs["token"])
+        access_args["portfolio"] = invite.portfolio_role.portfolio
+
     if exception is not None and exception(g.current_user, **access_args, **kwargs):
         return True
 
diff --git a/tests/routes/portfolios/test_invitations.py b/tests/routes/portfolios/test_invitations.py
index a4352808..cee8363f 100644
--- a/tests/routes/portfolios/test_invitations.py
+++ b/tests/routes/portfolios/test_invitations.py
@@ -169,6 +169,58 @@ def test_revoke_invitation(client, user_session):
     assert invite.is_revoked
 
 
+def test_user_can_only_revoke_invites_in_their_portfolio(client, user_session):
+    portfolio = PortfolioFactory.create()
+    other_portfolio = PortfolioFactory.create()
+    user = UserFactory.create()
+    ws_role = PortfolioRoleFactory.create(
+        user=user, portfolio=other_portfolio, status=PortfolioRoleStatus.PENDING
+    )
+    invite = InvitationFactory.create(
+        user_id=user.id,
+        portfolio_role=ws_role,
+        status=InvitationStatus.REJECTED_EXPIRED,
+        expiration_time=datetime.datetime.now() - datetime.timedelta(seconds=1),
+    )
+    user_session(portfolio.owner)
+    response = client.post(
+        url_for(
+            "portfolios.revoke_invitation",
+            portfolio_id=portfolio.id,
+            token=invite.token,
+        )
+    )
+
+    assert response.status_code == 404
+    assert not invite.is_revoked
+
+
+def test_user_can_only_resend_invites_in_their_portfolio(client, user_session, queue):
+    portfolio = PortfolioFactory.create()
+    other_portfolio = PortfolioFactory.create()
+    user = UserFactory.create()
+    ws_role = PortfolioRoleFactory.create(
+        user=user, portfolio=other_portfolio, status=PortfolioRoleStatus.PENDING
+    )
+    invite = InvitationFactory.create(
+        user_id=user.id,
+        portfolio_role=ws_role,
+        status=InvitationStatus.REJECTED_EXPIRED,
+        expiration_time=datetime.datetime.now() - datetime.timedelta(seconds=1),
+    )
+    user_session(portfolio.owner)
+    response = client.post(
+        url_for(
+            "portfolios.resend_invitation",
+            portfolio_id=portfolio.id,
+            token=invite.token,
+        )
+    )
+
+    assert response.status_code == 404
+    assert len(queue.get_queue()) == 0
+
+
 def test_resend_invitation_sends_email(client, user_session, queue):
     user = UserFactory.create()
     portfolio = PortfolioFactory.create()