Currently, if a user tried to request a route by id, they could see it, even if the requested information wasn't their own. This isn't great and should be fixed.