diff --git a/Readme.md b/Readme.md
index 01a4a35..5783050 100644
--- a/Readme.md
+++ b/Readme.md
@@ -102,10 +102,8 @@ type Rights interface {
 }
 ```
 
-When using the standard web handler, all methods except `CanRead()` are called before their `CRUD` counterparts. `CanRead()`
-is called after `ReadOne()` was invoked as this would otherwise mean getting an object from the db to check if the user has the
-right to see it and then getting it again if thats the case. Calling the function afterwards means we only have to get the
-object once.
+When using the standard web handler, all methods are called before their `CRUD` counterparts.
+Use pointers for methods like `CanRead()` to get the base data of the model first, then check the right and then add addintional data.
 
 ## Handler Config
 
diff --git a/handler/read_one.go b/handler/read_one.go
index c548d68..64c64ca 100644
--- a/handler/read_one.go
+++ b/handler/read_one.go
@@ -30,14 +30,7 @@ func (c *WebHandler) ReadOneWeb(ctx echo.Context) error {
 		return echo.NewHTTPError(http.StatusBadRequest, "No or invalid model provided.")
 	}
 
-	// Get our object
-	err := currentStruct.ReadOne()
-	if err != nil {
-		return HandleHTTPError(err, ctx)
-	}
-
 	// Check rights
-	// We can only check the rights on a full object, which is why we need to check it afterwards
 	currentAuth, err := config.AuthProvider.AuthObject(ctx)
 	if err != nil {
 		return echo.NewHTTPError(http.StatusInternalServerError, "Could not determine the current user.")
@@ -51,5 +44,11 @@ func (c *WebHandler) ReadOneWeb(ctx echo.Context) error {
 		return echo.NewHTTPError(http.StatusForbidden, "You don't have the right to see this")
 	}
 
+	// Get our object
+	err = currentStruct.ReadOne()
+	if err != nil {
+		return HandleHTTPError(err, ctx)
+	}
+
 	return ctx.JSON(http.StatusOK, currentStruct)
 }