diff --git a/taiga/projects/history/api.py b/taiga/projects/history/api.py
index 2119239a..db1d6bbc 100644
--- a/taiga/projects/history/api.py
+++ b/taiga/projects/history/api.py
@@ -62,6 +62,8 @@ class HistoryViewSet(ReadOnlyListViewSet):
         obj = self.get_object()
         history_entry_id = request.QUERY_PARAMS.get('id', None)
         history_entry = services.get_history_queryset_by_model_instance(obj).filter(id=history_entry_id).first()
+        if history_entry is None:
+            return response.NotFound()
 
         self.check_permissions(request, 'comment_versions', history_entry)
 
@@ -76,6 +78,9 @@ class HistoryViewSet(ReadOnlyListViewSet):
         obj = self.get_object()
         history_entry_id = request.QUERY_PARAMS.get('id', None)
         history_entry = services.get_history_queryset_by_model_instance(obj).filter(id=history_entry_id).first()
+        if history_entry is None:
+            return response.NotFound()
+
         obj = services.get_instance_from_key(history_entry.key)
         comment = request.DATA.get("comment", None)
 
@@ -113,6 +118,8 @@ class HistoryViewSet(ReadOnlyListViewSet):
         obj = self.get_object()
         history_entry_id = request.QUERY_PARAMS.get('id', None)
         history_entry = services.get_history_queryset_by_model_instance(obj).filter(id=history_entry_id).first()
+        if history_entry is None:
+            return response.NotFound()
 
         self.check_permissions(request, 'delete_comment', history_entry)
 
@@ -132,6 +139,8 @@ class HistoryViewSet(ReadOnlyListViewSet):
         obj = self.get_object()
         history_entry_id = request.QUERY_PARAMS.get('id', None)
         history_entry = services.get_history_queryset_by_model_instance(obj).filter(id=history_entry_id).first()
+        if history_entry is None:
+            return response.NotFound()
 
         self.check_permissions(request, 'undelete_comment', history_entry)
 
diff --git a/taiga/projects/userstories/api.py b/taiga/projects/userstories/api.py
index 143cb1ea..07e31cfe 100644
--- a/taiga/projects/userstories/api.py
+++ b/taiga/projects/userstories/api.py
@@ -286,8 +286,14 @@ class UserStoryViewSet(OCCResourceMixin, VotedResourceMixin, HistoryResourceMixi
 
     @list_route(methods=["GET"])
     def by_ref(self, request):
+        if "ref" not in request.QUERY_PARAMS:
+            return response.BadRequest(_("ref param is needed"))
+
+        if "project_slug" not in request.QUERY_PARAMS and "project_id" not in request.QUERY_PARAMS:
+            return response.BadRequest(_("project_id or project_slug param is needed"))
+
         retrieve_kwargs = {
-            "ref": request.QUERY_PARAMS.get("ref", None)
+            "ref": request.QUERY_PARAMS["ref"]
         }
         project_id = request.QUERY_PARAMS.get("project", None)
         if project_id is not None:
diff --git a/taiga/projects/userstories/permissions.py b/taiga/projects/userstories/permissions.py
index 6b46f72c..2d200446 100644
--- a/taiga/projects/userstories/permissions.py
+++ b/taiga/projects/userstories/permissions.py
@@ -26,6 +26,7 @@ class UserStoryPermission(TaigaResourcePermission):
     enought_perms = IsProjectAdmin() | IsSuperUser()
     global_perms = None
     retrieve_perms = HasProjectPerm('view_us')
+    by_ref_perms = HasProjectPerm('view_us')
     create_perms = HasProjectPerm('add_us_to_project') | HasProjectPerm('add_us')
     update_perms = CommentAndOrUpdatePerm('modify_us', 'comment_us')
     partial_update_perms = CommentAndOrUpdatePerm('modify_us', 'comment_us')