diff --git a/user/user.go b/user/user.go
index 8764d20..731e679 100644
--- a/user/user.go
+++ b/user/user.go
@@ -31,20 +31,22 @@ type User struct {
 
 // Route — Right (more is more right)
 var minimalRights = map[string]int{
-	"text":                0,
-	"backlinks":           0,
-	"history":             0,
-	"media":               1,
-	"edit":                1,
-	"upload-binary":       1,
-	"upload-text":         1,
-	"rename":              2,
-	"remove-media":        2,
-	"update-header-links": 3,
-	"delete":              3,
-	"reindex":             4,
-	"admin":               4,
-	"admin/shutdown":      4,
+	"text":                 0,
+	"backlinks":            0,
+	"history":              0,
+	"media":                1,
+	"edit":                 1,
+	"upload-binary":        1,
+	"upload-text":          1,
+	"add-to-category":      1,
+	"remove-from-category": 1,
+	"rename":               2,
+	"remove-media":         2,
+	"update-header-links":  3,
+	"delete":               3,
+	"reindex":              4,
+	"admin":                4,
+	"admin/shutdown":       4,
 }
 
 var groups = []string{
diff --git a/web/categories.go b/web/categories.go
index c8c5327..70b1e5b 100644
--- a/web/categories.go
+++ b/web/categories.go
@@ -2,9 +2,11 @@ package web
 
 import (
 	"github.com/bouncepaw/mycorrhiza/hyphae/categories"
+	"github.com/bouncepaw/mycorrhiza/user"
 	"github.com/bouncepaw/mycorrhiza/util"
 	"github.com/bouncepaw/mycorrhiza/views"
 	"github.com/gorilla/mux"
+	"io"
 	"net/http"
 )
 
@@ -34,6 +36,11 @@ func handlerRemoveFromCategory(w http.ResponseWriter, rq *http.Request) {
 		catName    = util.CanonicalName(rq.PostFormValue("cat"))
 		redirectTo = rq.PostFormValue("redirect-to")
 	)
+	if !user.FromRequest(rq).CanProceed("remove-from-category") {
+		w.WriteHeader(http.StatusForbidden)
+		_, _ = io.WriteString(w, "403 Forbidden")
+		return
+	}
 	categories.RemoveHyphaFromCategory(hyphaName, catName)
 	http.Redirect(w, rq, redirectTo, http.StatusSeeOther)
 }
@@ -45,6 +52,11 @@ func handlerAddToCategory(w http.ResponseWriter, rq *http.Request) {
 		catName    = util.CanonicalName(rq.PostFormValue("cat"))
 		redirectTo = rq.PostFormValue("redirect-to")
 	)
+	if !user.FromRequest(rq).CanProceed("add-to-category") {
+		w.WriteHeader(http.StatusForbidden)
+		_, _ = io.WriteString(w, "403 Forbidden")
+		return
+	}
 	categories.AddHyphaToCategory(hyphaName, catName)
 	http.Redirect(w, rq, redirectTo, http.StatusSeeOther)
 }