2 files changed, 6 insertions, 18 deletions
diff --git a/app/Controller/Base.php b/app/Controller/Base.php
index b090356e..66a9e84f 100644
--- a/app/Controller/Base.php
+++ b/app/Controller/Base.php
@@ -146,7 +146,7 @@ abstract class Base extends \Kanboard\Core\Base
     protected function forbidden($no_layout = false)
     {
         if ($this->request->isAjax()) {
-            $this->response->text('Not Authorized', 401);
+            $this->response->text('Access Forbidden', 403);
         }
 
         $this->response->html($this->template->layout('app/forbidden', array(
diff --git a/app/Controller/Board.php b/app/Controller/Board.php
index a75fea33..06736cce 100644
--- a/app/Controller/Board.php
+++ b/app/Controller/Board.php
@@ -73,10 +73,6 @@ class Board extends Base
             return $this->response->status(403);
         }
 
-        if (! $this->projectPermission->isUserAllowed($project_id, $this->userSession->getId())) {
-            $this->response->text('Forbidden', 403);
-        }
-
         $values = $this->request->getJson();
 
         $result =$this->taskPosition->movePosition(
@@ -101,22 +97,18 @@ class Board extends Base
      */
     public function check()
     {
-        if (! $this->request->isAjax()) {
-            return $this->response->status(403);
-        }
-
         $project_id = $this->request->getIntegerParam('project_id');
         $timestamp = $this->request->getIntegerParam('timestamp');
 
-        if (! $this->projectPermission->isUserAllowed($project_id, $this->userSession->getId())) {
-            $this->response->text('Forbidden', 403);
+        if (! $project_id || ! $this->request->isAjax()) {
+            return $this->response->status(403);
         }
 
         if (! $this->project->isModifiedSince($project_id, $timestamp)) {
             return $this->response->status(304);
         }
 
-        $this->response->html($this->renderBoard($project_id));
+        return $this->response->html($this->renderBoard($project_id));
     }
 
     /**
@@ -126,14 +118,10 @@ class Board extends Base
      */
     public function reload()
     {
-        if (! $this->request->isAjax()) {
-            return $this->response->status(403);
-        }
-
         $project_id = $this->request->getIntegerParam('project_id');
 
-        if (! $this->projectPermission->isUserAllowed($project_id, $this->userSession->getId())) {
-            $this->response->text('Forbidden', 403);
+        if (! $project_id || ! $this->request->isAjax()) {
+            return $this->response->status(403);
         }
 
         $values = $this->request->getJson();