diff --git a/src/routes/accesscontrol.js b/src/routes/accesscontrol.js
index c468712ac..558c620d9 100644
--- a/src/routes/accesscontrol.js
+++ b/src/routes/accesscontrol.js
@@ -6,13 +6,10 @@ exports = module.exports = {
 
     scope: scope,
     websocketAuth: websocketAuth,
-    verifyAppOwnership: verifyAppOwnership,
     verifyOperator: verifyOperator
 };
 
 var accesscontrol = require('../accesscontrol.js'),
-    apps = require('../apps.js'),
-    AppsError = apps.AppsError,
     assert = require('assert'),
     BasicStrategy = require('passport-http').BasicStrategy,
     BearerStrategy = require('passport-http-bearer').Strategy,
@@ -144,25 +141,6 @@ function websocketAuth(requiredScopes, req, res, next) {
     });
 }
 
-function verifyAppOwnership(req, res, next) {
-    if (req.user.admin) return next();
-
-    if (!config.isSpacesEnabled()) return next();
-
-    const appCreate = !('id' in req.params);
-
-    if (appCreate) return next(); // ok to install app
-
-    apps.get(req.params.id, function (error, app) {
-        if (error && error.reason === AppsError.NOT_FOUND) return next(new HttpError(404, 'No such app'));
-        if (error) return next(new HttpError(500, error));
-
-        if (app.ownerId !== req.user.id) return next(new HttpError(401, 'Unauthorized'));
-
-        next();
-    });
-}
-
 function verifyOperator(req, res, next) {
     if (config.allowOperatorActions()) return next();
 
diff --git a/src/routes/apps.js b/src/routes/apps.js
index 144889498..4acbbf0db 100644
--- a/src/routes/apps.js
+++ b/src/routes/apps.js
@@ -1,6 +1,8 @@
 'use strict';
 
 exports = module.exports = {
+    verifyOwnership: verifyOwnership,
+
     getApp: getApp,
     getApps: getApps,
     getAppIcon: getAppIcon,
@@ -30,6 +32,7 @@ exports = module.exports = {
 var apps = require('../apps.js'),
     AppsError = apps.AppsError,
     assert = require('assert'),
+    config = require('../config.js'),
     debug = require('debug')('box:routes/apps'),
     fs = require('fs'),
     HttpError = require('connect-lastmile').HttpError,
@@ -44,6 +47,25 @@ function auditSource(req) {
     return { ip: ip, username: req.user ? req.user.username : null, userId: req.user ? req.user.id : null };
 }
 
+function verifyOwnership(req, res, next) {
+    if (req.user.admin) return next();
+
+    if (!config.isSpacesEnabled()) return next();
+
+    const appCreate = !('id' in req.params);
+
+    if (appCreate) return next(); // ok to install app
+
+    apps.get(req.params.id, function (error, app) {
+        if (error && error.reason === AppsError.NOT_FOUND) return next(new HttpError(404, 'No such app'));
+        if (error) return next(new HttpError(500, error));
+
+        if (app.ownerId !== req.user.id) return next(new HttpError(401, 'Unauthorized'));
+
+        next();
+    });
+}
+
 function getApp(req, res, next) {
     assert.strictEqual(typeof req.params.id, 'string');
 
diff --git a/src/server.js b/src/server.js
index 8422bbac9..27c7d6905 100644
--- a/src/server.js
+++ b/src/server.js
@@ -94,7 +94,7 @@ function initializeExpressSync() {
     var usersReadScope = routes.accesscontrol.scope(accesscontrol.SCOPE_USERS_READ);
     var usersManageScope = routes.accesscontrol.scope(accesscontrol.SCOPE_USERS_MANAGE);
     var appsReadScope = routes.accesscontrol.scope(accesscontrol.SCOPE_APPS_READ);
-    var appsManageScope = [ routes.accesscontrol.scope(accesscontrol.SCOPE_APPS_MANAGE), routes.accesscontrol.verifyAppOwnership ];
+    var appsManageScope = [ routes.accesscontrol.scope(accesscontrol.SCOPE_APPS_MANAGE), routes.apps.verifyOwnership ];
     var settingsScope = routes.accesscontrol.scope(accesscontrol.SCOPE_SETTINGS);
     var mailScope = routes.accesscontrol.scope(accesscontrol.SCOPE_MAIL);
     var clientsScope = routes.accesscontrol.scope(accesscontrol.SCOPE_CLIENTS);
@@ -211,7 +211,7 @@ function initializeExpressSync() {
     router.get ('/api/v1/apps/:id/logs',      appsManageScope, routes.apps.getLogs);
     router.get ('/api/v1/apps/:id/exec',      appsManageScope, routes.apps.exec);
     // websocket cannot do bearer authentication
-    router.get ('/api/v1/apps/:id/execws',    routes.accesscontrol.websocketAuth.bind(null, [ accesscontrol.SCOPE_APPS_MANAGE ]), routes.accesscontrol.verifyAppOwnership, routes.apps.execWebSocket);
+    router.get ('/api/v1/apps/:id/execws',    routes.accesscontrol.websocketAuth.bind(null, [ accesscontrol.SCOPE_APPS_MANAGE ]), routes.apps.verifyOwnership, routes.apps.execWebSocket);
     router.post('/api/v1/apps/:id/clone',     appsManageScope, routes.apps.cloneApp);
     router.get ('/api/v1/apps/:id/download',  appsManageScope, routes.apps.downloadFile);
     router.post('/api/v1/apps/:id/upload',    appsManageScope, multipart, routes.apps.uploadFile);