diff --git a/app/controllers/match_proposals_controller.rb b/app/controllers/match_proposals_controller.rb
index 92a5b58..98a7e53 100644
--- a/app/controllers/match_proposals_controller.rb
+++ b/app/controllers/match_proposals_controller.rb
@@ -25,10 +25,12 @@ class MatchProposalsController < ApplicationController
   end
 
   def update
-    raise AccessError unless @match.can_make_proposal?(cuser)
     @proposal = MatchProposal.find(params[:id])
+    raise AccessError unless @proposal.can_update?(cuser, params[:match_proposal])
     @proposal.status = params[:match_proposal][:status]
     if @proposal.save
+      # TODO: rework messages
+      # TODO: make it so only one proposal can be confirmed for a match at any given time
       action = case @proposal.status
                  when MatchProposal::STATUS_CONFIRMED
                    "Confirmed Proposal for #{Time.use_zone(view_context.timezone_offset) { @proposal.proposed_time.strftime('%d %B %y %H:%M %Z') }}"
diff --git a/app/models/match_proposal.rb b/app/models/match_proposal.rb
index 44e1a42..388de93 100644
--- a/app/models/match_proposal.rb
+++ b/app/models/match_proposal.rb
@@ -22,8 +22,17 @@ class MatchProposal < ActiveRecord::Base
     cuser && match && match.can_make_proposal?(cuser)
   end
 
-  def can_update? cuser
-    cuser && match && match.can_make_proposal?(cuser)
+  def can_update? cuser, params = {}
+    return false unless cuser && match && match.can_make_proposal?(cuser)
+
+    if params.key?(:status) && (status.to_s != params[:status]) &&
+        (STATUS_REVOKED.to_s != params[:status])
+      return false unless (team != cuser.team)
+      return false if (STATUS_CONFIRMED.to_s == params[:status]) && (proposed_time < 20.minutes.from_now)
+      # TODO: update to usefull timelimit
+      # TODO: define rules for revoking; timelimit, access
+    end
+    true
   end
 
   def can_destroy?