diff --git a/server/contrib.py b/server/contrib.py
index 21845c5..451fece 100644
--- a/server/contrib.py
+++ b/server/contrib.py
@@ -9,7 +9,6 @@
     HTTPException,
     NotAuthorizedException,
     NotFoundException,
-    PermissionDeniedException,
     ValidationException,
 )
 from litestar.params import Body
@@ -17,6 +16,7 @@
 from uuid6 import uuid7
 
 from config import TURNSTILE_SECRET_KEY, TURNSTILE_SITE_KEY, UTC
+from server.auth import require_user_editor, require_user_login
 from server.base import BadRequestException, Request, http_client, pg
 from server.model import Patch, Wiki
 from server.router import Router
@@ -58,17 +58,12 @@ class CreateSuggestion:
 
 
 @router
-@litestar.post("/suggest")
+@litestar.post("/suggest", guards=[require_user_editor])
 async def suggest_api(
     subject_id: int,
     data: Annotated[CreateSuggestion, Body(media_type=RequestEncodingType.URL_ENCODED)],
     request: Request,
 ) -> Redirect:
-    if not request.auth:
-        raise PermissionDeniedException
-    if request.auth.allow_edit:
-        raise PermissionDeniedException
-
     if not data.desc:
         raise ValidationException("missing suggestion description")
 
@@ -149,11 +144,8 @@ async def suggest_api(
 
 
 @router
-@litestar.post("/api/delete-patch/{patch_id:str}")
+@litestar.post("/api/delete-patch/{patch_id:str}", guards=[require_user_login])
 async def delete_patch(patch_id: str, request: Request) -> Redirect:
-    if not request.auth:
-        raise NotAuthorizedException
-
     async with pg.acquire() as conn:
         async with conn.transaction():
             p = await conn.fetchrow(