diff --git a/pkg/models/reaction.go b/pkg/models/reaction.go
index 52e8edbf9..0bc8cafec 100644
--- a/pkg/models/reaction.go
+++ b/pkg/models/reaction.go
@@ -17,11 +17,13 @@
 package models
 
 import (
-	"code.vikunja.io/api/pkg/user"
-	"code.vikunja.io/web"
 	"time"
+
+	"code.vikunja.io/web"
 	"xorm.io/builder"
 	"xorm.io/xorm"
+
+	"code.vikunja.io/api/pkg/user"
 )
 
 type ReactionKind int
@@ -74,7 +76,16 @@ type ReactionMap map[string][]*user.User
 // @Failure 403 {object} web.HTTPError "The user does not have access to the entity"
 // @Failure 500 {object} models.Message "Internal error"
 // @Router /{kind}/{id}/reactions [get]
-func (r *Reaction) ReadAll(s *xorm.Session, _ web.Auth, _ string, _ int, _ int) (result interface{}, resultCount int, numberOfTotalItems int64, err error) {
+func (r *Reaction) ReadAll(s *xorm.Session, a web.Auth, _ string, _ int, _ int) (result interface{}, resultCount int, numberOfTotalItems int64, err error) {
+
+	can, _, err := r.CanRead(s, a)
+	if err != nil {
+		return nil, 0, 0, err
+	}
+	if !can {
+		return nil, 0, 0, ErrGenericForbidden{}
+	}
+
 	reactions := []*Reaction{}
 	err = s.Where("entity_id = ? AND entity_kind = ?", r.EntityID, r.EntityKind).Find(&reactions)
 	if err != nil {