diff --git a/app/controllers/forms_controller.rb b/app/controllers/forms_controller.rb
index ffda05e5b..9ddb68ca6 100644
--- a/app/controllers/forms_controller.rb
+++ b/app/controllers/forms_controller.rb
@@ -70,6 +70,8 @@ class FormsController < ApplicationController
   end
 
   def publish
+    render_403 and return unless can_publish_form?(@form)
+
     ActiveRecord::Base.transaction do
       @form.update!(
         published_by: current_user,
@@ -82,6 +84,8 @@ class FormsController < ApplicationController
   end
 
   def unpublish
+    render_403 and return unless can_unpublish_form?(@form)
+
     ActiveRecord::Base.transaction do
       @form.update!(
         published_by: nil,
@@ -208,7 +212,6 @@ class FormsController < ApplicationController
   end
 
   def check_manage_permissions
-
     render_403 unless @form && can_manage_form?(@form)
   end
 
diff --git a/app/javascript/vue/forms/show.vue b/app/javascript/vue/forms/show.vue
index f44214bbb..e39dc2d75 100644
--- a/app/javascript/vue/forms/show.vue
+++ b/app/javascript/vue/forms/show.vue
@@ -31,7 +31,7 @@
         <button v-if="form.attributes.urls.publish" class="btn btn-primary" @click="publishForm">
           {{ i18n.t('forms.show.publish') }}
         </button>
-        <button v-if="form.attributes.urls.unpublish" class="btn btn-secondary" @click="unpublishForm">
+        <button v-if="form.attributes.published_on" :disabled="!form.attributes.urls.unpublish" class="btn btn-secondary" @click="unpublishForm">
           {{ i18n.t('forms.show.unpublish') }}
         </button>
       </div>
diff --git a/app/models/form.rb b/app/models/form.rb
index 789129e4b..b3181fed1 100644
--- a/app/models/form.rb
+++ b/app/models/form.rb
@@ -32,6 +32,10 @@ class Form < ApplicationRecord
 
   enum :visibility, { hidden: 0, visible: 1 }
 
+  def unused?
+    form_responses.none?
+  end
+
   def permission_parent
     nil
   end
diff --git a/app/permissions/form.rb b/app/permissions/form.rb
index e3cde8b6d..c58121b21 100644
--- a/app/permissions/form.rb
+++ b/app/permissions/form.rb
@@ -40,6 +40,6 @@ Canaid::Permissions.register_for(Form) do
   end
 
   can :unpublish_form do |user, form|
-    form.published? && form.permission_granted?(user, FormPermissions::MANAGE)
+    form.published? && form.permission_granted?(user, FormPermissions::MANAGE) && form.unused?
   end
 end
diff --git a/spec/controllers/forms_controller_spec.rb b/spec/controllers/forms_controller_spec.rb
index 85209c43e..e235aeaf4 100644
--- a/spec/controllers/forms_controller_spec.rb
+++ b/spec/controllers/forms_controller_spec.rb
@@ -9,6 +9,7 @@ describe FormsController, type: :controller do
 
   let!(:form) { create :form, team: team, created_by: user }
   let!(:form2) { create :form, team: team, created_by: user }
+  let!(:published_form) { create :form, team: team, created_by: user, published_by: user, published_on: DateTime.parse('1-1-2000') }
   let!(:form_field) { create :form_field, form: form2, created_by: user }
 
   describe '#index' do
@@ -20,7 +21,7 @@ describe FormsController, type: :controller do
 
       response_body = JSON.parse(response.body)
 
-      expect(response_body['data'].length).to eq 2
+      expect(response_body['data'].length).to eq 3
       expect(response.body).to include(form.name)
       expect(response.body).to include(form2.name)
       expect(response.body).not_to include(form_field.name)
@@ -110,7 +111,7 @@ describe FormsController, type: :controller do
     let(:action) { put :unpublish, params: params, format: :json }
     let(:params) do
       {
-        id: form.id,
+        id: published_form.id,
       }
     end