diff --git a/api/controllers/console/app/app.py b/api/controllers/console/app/app.py
index d0bbbe8bf0d39a..cb7738e17ef271 100644
--- a/api/controllers/console/app/app.py
+++ b/api/controllers/console/app/app.py
@@ -294,6 +294,10 @@ def get(self, app_id):
     def delete(self, app_id):
         """Delete app"""
         app_id = str(app_id)
+
+        if current_user.current_tenant.current_role not in ['admin', 'owner']:
+            raise Forbidden()
+        
         app = _get_app(app_id, current_user.current_tenant_id)
 
         db.session.delete(app)