diff --git a/src/modules/server/http/router_event.go b/src/modules/server/http/router_event.go
index 0068604d..847eedd9 100644
--- a/src/modules/server/http/router_event.go
+++ b/src/modules/server/http/router_event.go
@@ -259,6 +259,12 @@ func eventHisGets(c *gin.Context) {
 
 func eventCurDel(c *gin.Context) {
 	eventCur := mustEventCur(urlParamInt64(c, "id"))
+
+	can, err := models.UsernameCandoNodeOp(loginUsername(c), "mon_event_write", eventCur.Nid)
+	errors.Dangerous(err)
+	if !can {
+		errors.Bomb(_s("no privilege"))
+	}
 	renderMessage(c, eventCur.EventIgnore())
 }
 
@@ -404,6 +410,13 @@ func eventCurClaim(c *gin.Context) {
 	var f claimForm
 	errors.Dangerous(c.ShouldBind(&f))
 
+	eventCur := mustEventCur(f.Id)
+	can, err := models.UsernameCandoNodeOp(username, "mon_event_write", eventCur.Nid)
+	errors.Dangerous(err)
+	if !can {
+		errors.Bomb(_s("no privilege"))
+	}
+
 	id := f.Id
 	nodePath := f.NodePath