2 files changed, 3 insertions, 0 deletions

diff --git a/modules/tag/controllers/admin_tags.php b/modules/tag/controllers/admin_tags.php
index 1176b0ca..01884bb8 100644
--- a/modules/tag/controllers/admin_tags.php
+++ b/modules/tag/controllers/admin_tags.php
@@ -42,6 +42,7 @@ class Admin_Tags_Controller extends Admin_Controller {
 
   public function delete($id) {
     access::verify_csrf();
+
     $tag = ORM::factory("tag", $id);
     if (!$tag->loaded) {
       kohana::show_404();
diff --git a/modules/tag/controllers/tags.php b/modules/tag/controllers/tags.php
index aecd1db7..930c1252 100644
--- a/modules/tag/controllers/tags.php
+++ b/modules/tag/controllers/tags.php
@@ -48,6 +48,7 @@ class Tags_Controller extends REST_Controller {
 
   public function _create($tag) {
     $item = ORM::factory("item", $this->input->post("item_id"));
+    access::required("view", $item);
     access::required("edit", $item);
 
     $form = tag::get_add_form($item);
@@ -73,6 +74,7 @@ class Tags_Controller extends REST_Controller {
   public function _form_add($item_id) {
     $item = ORM::factory("item", $item_id);
     access::required("view", $item);
+    access::required("edit", $item);
 
     return tag::get_add_form($item);
   }