diff --git a/openlobby/core/api/types.py b/openlobby/core/api/types.py
index a6e9c6e805e7cd6c10300748b1f88242f211da6c..b777ba263ef20dd397133bdfe1fc3221206ce0cd 100644
--- a/openlobby/core/api/types.py
+++ b/openlobby/core/api/types.py
@@ -71,6 +71,12 @@ class Report(graphene.ObjectType):
         except NotFoundError:
             return None
 
+        if report.is_draft:
+            if not info.context.user.is_authenticated:
+                return None
+            if report.author_id != info.context.user.id:
+                return None
+
         author_type = cls._meta.fields['author'].type
         author = author_type.get_node(info, report.author_id)
         return cls.from_es(report, author)
diff --git a/tests/mutations/test_create_report.py b/tests/mutations/test_create_report.py
index f2121dabc7b6d65338f3c906b868dc2925af0f52..433a72babe837cee6e8354d1d5e7932ef3eaa1e6 100644
--- a/tests/mutations/test_create_report.py
+++ b/tests/mutations/test_create_report.py
@@ -1,11 +1,11 @@
 import pytest
 import arrow
-import json
 import re
 
-from openlobby.core.auth import create_access_token
 from openlobby.core.models import User, Report
 
+from ..utils import call_api
+
 
 pytestmark = [pytest.mark.django_db, pytest.mark.usefixtures('django_es')]
 
@@ -16,18 +16,6 @@ def setup():
         first_name='Winston', last_name='Wolfe', email='winston@wolfe.com')
 
 
-def call_api(client, query, input, username=None):
-    variables = json.dumps({'input': input})
-    if username is None:
-        res = client.post('/graphql', {'query': query, 'variables': variables})
-    else:
-        token = create_access_token(username)
-        auth_header = 'Bearer {}'.format(token)
-        res = client.post('/graphql', {'query': query, 'variables': variables},
-            HTTP_AUTHORIZATION=auth_header)
-    return res.json()
-
-
 def test_unauthorized(client, snapshot):
     query = """
     mutation createReport ($input: CreateReportInput!) {
diff --git a/tests/schema/snapshots/snap_test_node.py b/tests/schema/snapshots/snap_test_node.py
index 7b2e280583c22c9959e64beb5d12cd060d42af8b..52ce304f3feb1f476ba57268face7f251975445d 100644
--- a/tests/schema/snapshots/snap_test_node.py
+++ b/tests/schema/snapshots/snap_test_node.py
@@ -85,3 +85,24 @@ snapshots['test_user 1'] = {
         }
     }
 }
+
+snapshots['test_report__is_draft__unauthorized_viewer 1'] = {
+    'data': {
+        'node': None
+    }
+}
+
+snapshots['test_report__is_draft__viewer_is_not_author 1'] = {
+    'data': {
+        'node': None
+    }
+}
+
+snapshots['test_report__is_draft 1'] = {
+    'data': {
+        'node': {
+            'id': 'UmVwb3J0OjQ=',
+            'title': 'The Silmarillion'
+        }
+    }
+}
diff --git a/tests/schema/test_node.py b/tests/schema/test_node.py
index c1ccbf1f934e0af7771576264ba486ff5fc3fd5b..0ffa6374ee85f373a1d7604039833f6d22805c39 100644
--- a/tests/schema/test_node.py
+++ b/tests/schema/test_node.py
@@ -5,6 +5,7 @@ from openlobby.core.auth import create_access_token
 from openlobby.core.models import OpenIdClient, User
 
 from ..dummy import prepare_reports
+from ..utils import call_api
 
 
 pytestmark = [pytest.mark.django_db, pytest.mark.usefixtures('django_es')]
@@ -89,6 +90,51 @@ def test_report(client, snapshot):
     snapshot.assert_match(res.json())
 
 
+def test_report__is_draft(client, snapshot):
+    prepare_reports()
+    query = """
+    query {{
+        node (id:"{id}") {{
+            ... on Report {{
+                id
+                title
+            }}
+        }}
+    }}
+    """.format(id=to_global_id('Report', 4))
+    snapshot.assert_match(call_api(client, query, username='Wolf'))
+
+
+def test_report__is_draft__unauthorized_viewer(client, snapshot):
+    prepare_reports()
+    query = """
+    query {{
+        node (id:"{id}") {{
+            ... on Report {{
+                id
+                title
+            }}
+        }}
+    }}
+    """.format(id=to_global_id('Report', 4))
+    snapshot.assert_match(call_api(client, query))
+
+
+def test_report__is_draft__viewer_is_not_author(client, snapshot):
+    prepare_reports()
+    query = """
+    query {{
+        node (id:"{id}") {{
+            ... on Report {{
+                id
+                title
+            }}
+        }}
+    }}
+    """.format(id=to_global_id('Report', 4))
+    snapshot.assert_match(call_api(client, query))
+
+
 def test_user__unauthorized(client, snapshot):
     User.objects.create(id=8, username='albert', openid_uid='albert@einstein.id',
         first_name='Albert', last_name='Einstein', extra={'e': 'mc2'})
diff --git a/tests/utils.py b/tests/utils.py
new file mode 100644
index 0000000000000000000000000000000000000000..f807f170442aaa9d0e52c81a94c8898505ee6e37
--- /dev/null
+++ b/tests/utils.py
@@ -0,0 +1,15 @@
+import json
+
+from openlobby.core.auth import create_access_token
+
+
+def call_api(client, query, input=None, username=None):
+    variables = json.dumps({'input': input or {}})
+    if username is None:
+        res = client.post('/graphql', {'query': query, 'variables': variables})
+    else:
+        token = create_access_token(username)
+        auth_header = 'Bearer {}'.format(token)
+        res = client.post('/graphql', {'query': query, 'variables': variables},
+            HTTP_AUTHORIZATION=auth_header)
+    return res.json()