diff --git a/mod/groups/actions/groups/membership/delete_invite.php b/mod/groups/actions/groups/membership/delete_invite.php
index 29500e9a13a..2809486c250 100644
--- a/mod/groups/actions/groups/membership/delete_invite.php
+++ b/mod/groups/actions/groups/membership/delete_invite.php
@@ -13,8 +13,12 @@
 	return get_entity($group_guid);
 });
 
-if (!$user && !($group instanceof \ElggGroup)) {
-	return elgg_error_response();
+if (!$user && !$group instanceof \ElggGroup) {
+	return elgg_error_response(elgg_echo('error:missing_data'));
+}
+
+if (!$user->canEdit() && !$group->canEdit()) {
+	return elgg_error_response(elgg_echo('actionunauthorized'));
 }
 
 // If join request made
diff --git a/mod/groups/actions/groups/membership/delete_request.php b/mod/groups/actions/groups/membership/delete_request.php
index af5a78176d4..04efb9630d8 100644
--- a/mod/groups/actions/groups/membership/delete_request.php
+++ b/mod/groups/actions/groups/membership/delete_request.php
@@ -9,8 +9,12 @@
 $user = get_user($user_guid);
 $group = get_entity($group_guid);
 
-if (!$user && !($group instanceof \ElggGroup)) {
-	return elgg_error_response();
+if (!$user && !$group instanceof \ElggGroup) {
+	return elgg_error_response(elgg_echo('error:missing_data'));
+}
+
+if (!$user->canEdit() && !$group->canEdit()) {
+	return elgg_error_response(elgg_echo('actionunauthorized'));
 }
 
 // If join request made
diff --git a/mod/groups/actions/groups/membership/join.php b/mod/groups/actions/groups/membership/join.php
index e9c89450379..9d94a910106 100644
--- a/mod/groups/actions/groups/membership/join.php
+++ b/mod/groups/actions/groups/membership/join.php
@@ -18,10 +18,14 @@
 	return get_entity($group_guid);
 });
 
-if (!$user || !($group instanceof \ElggGroup)) {
+if (!$user || !$group instanceof \ElggGroup) {
 	return elgg_error_response(elgg_echo('groups:cantjoin'));
 }
 
+if (!$user->canEdit() && !$group->canEdit()) {
+	return elgg_error_response(elgg_echo('actionunauthorized'));
+}
+
 // join or request
 $join = false;
 if ($group->isPublicMembership() || $group->canEdit($user->guid)) {
diff --git a/mod/groups/actions/groups/membership/leave.php b/mod/groups/actions/groups/membership/leave.php
index bbea6bfdea7..33cfdcf426b 100644
--- a/mod/groups/actions/groups/membership/leave.php
+++ b/mod/groups/actions/groups/membership/leave.php
@@ -9,10 +9,14 @@
 $user = get_user($user_guid);
 $group = get_entity($group_guid);
 
-if (!$user || !($group instanceof \ElggGroup)) {
+if (!$user || !$group instanceof \ElggGroup) {
 	return elgg_error_response(elgg_echo('groups:cantleave'));
 }
 
+if (!$user->canEdit() && !$group->canEdit()) {
+	return elgg_error_response(elgg_echo('actionunauthorized'));
+}
+
 if ($group->getOwnerGUID() === $user->guid) {
 	// owner can't be removed
 	return elgg_error_response(elgg_echo('groups:cantleave'));