diff --git a/routes/post.js b/routes/post.js
index 4a43ef7..ec5ca37 100644
--- a/routes/post.js
+++ b/routes/post.js
@@ -35,13 +35,21 @@ DB.getDB.then((DB)=>{
             profileid: getProfileId(req),
             ...req.body
         }
+        if(post.toProfile && await DB.isGroupPrivate(post.toProfile)){
+            let requestProfile = getProfileId(req) + "";
+            let group = await DB.getProfileCache(post.toProfile);
+            if(!group.subscribed[requestProfile] && group._id != requestProfile){
+                return res.json({
+                    status: "You are not part of this private group",
+                });
+            }
+        }
         post.toProfile = post.toProfile ? DB.ObjectID(post.toProfile) : undefined;
         let postObj = new Post(post);
         let dbr = await DB.newPost(postObj);
         post = postObj.toObj();
         post._id = dbr.insertedId;
         if(post.toProfile && post.toProfile != post.profileid){
-            //send email notification
             Notifications.youGotANewPost(post.toProfile, post.profileid, post.content)
         }
         return res.json({