diff --git a/bookstore/src/main/java/com/fjordtek/bookstore/web/BookController.java b/bookstore/src/main/java/com/fjordtek/bookstore/web/BookController.java
index a8c5ce1..ac5e335 100644
--- a/bookstore/src/main/java/com/fjordtek/bookstore/web/BookController.java
+++ b/bookstore/src/main/java/com/fjordtek/bookstore/web/BookController.java
@@ -296,8 +296,12 @@ public class BookController {
 			/*
 			 * Prevent other than MARKETING users to access hidden book
 			 * data even if they knew hash id.
+			 *
+			 * In this scenario, a book is invisible but a user still knows book's hash id.
+			 * However, he/she has no proper MARKETING authorization
+			 * to access the URL so we force him/her out of the page.
 			 */
-			if (!book.getPublish() && !authorities.contains(env.getProperty("auth.authority.sales")) ) {
+			if ( !book.getPublish() && !authorities.contains(env.getProperty("auth.authority.sales")) ) {
 				//responseData.setStatus(HttpServletResponse.SC_BAD_REQUEST);
 				return "redirect:" + env.getProperty("page.url.list");
 			}
@@ -405,8 +409,12 @@ public class BookController {
 		/*
 		 * Prevent other than MARKETING users to access hidden book
 		 * data even if they knew hash id.
+		 *
+		 * In this scenario, an authenticated user has manually injected publish value to
+		 * true but has no MARKETING authority. We force him/her out of the page to prevent
+		 * unauthorized data manipulation.
 		 */
-		if (!book.getPublish() && !authorities.contains(env.getProperty("auth.authority.sales")) ) {
+		if ( book.getPublish() && !authorities.contains(env.getProperty("auth.authority.sales")) ) {
 			//responseData.setStatus(HttpServletResponse.SC_BAD_REQUEST);
 			return "redirect:" + env.getProperty("page.url.list");
 		}
diff --git a/bookstore/src/main/java/com/fjordtek/bookstore/web/BookRestController.java b/bookstore/src/main/java/com/fjordtek/bookstore/web/BookRestController.java
index b43262a..dd90e2b 100644
--- a/bookstore/src/main/java/com/fjordtek/bookstore/web/BookRestController.java
+++ b/bookstore/src/main/java/com/fjordtek/bookstore/web/BookRestController.java
@@ -95,8 +95,12 @@ public class BookRestController {
 			/*
 			 * Prevent other than MARKETING users to access hidden book
 			 * data even if they knew hash id.
+			 *
+			 * In this scenario, a book is invisible but a user still knows book's hash id.
+			 * However, he/she has no proper MARKETING authorization
+			 * to access the URL so we force him/her out of the page.
 			 */
-			if (!book.getPublish() && !authorities.contains(env.getProperty("auth.authority.sales")) ) {
+			if ( !book.getPublish() && !authorities.contains(env.getProperty("auth.authority.sales")) ) {
 		    	responseData.setHeader("Location", env.getProperty("page.url.index"));
 		    	responseData.setStatus(302);
 		    	httpServerLogger.log(requestData, responseData);