diff --git a/website/server/controllers/api-v3/tasks.js b/website/server/controllers/api-v3/tasks.js
index 139335bf8b..7d9a16a8a9 100644
--- a/website/server/controllers/api-v3/tasks.js
+++ b/website/server/controllers/api-v3/tasks.js
@@ -819,7 +819,7 @@ api.moveTask = {
 
     if (task.type === 'todo' && task.completed) throw new BadRequest(res.t('cantMoveCompletedTodo'));
 
-    const owner = group || challenge || user;
+    const owner = challenge || user;
 
     // In memory updates
     const order = owner.tasksOrder[`${task.type}s`];
@@ -846,7 +846,7 @@ api.moveTask = {
     // it cannot be updated in the pre update hook
     // See https://github.com/HabitRPG/habitica/pull/9321#issuecomment-354187666 for more info
     // Only users have a version.
-    if (!group && !challenge) {
+    if (!challenge) {
       owner._v += 1;
     }
 
diff --git a/website/server/libs/tasks/index.js b/website/server/libs/tasks/index.js
index 42badf8dce..6ae84431c5 100644
--- a/website/server/libs/tasks/index.js
+++ b/website/server/libs/tasks/index.js
@@ -326,8 +326,13 @@ function verifyTaskModification (task, user, group, challenge, res) {
   if (!task) {
     throw new NotFound(res.t('messageTaskNotFound'));
   } else if (task.group.id && !task.userId) {
-    if (!group) throw new NotFound(res.t('groupNotFound'));
-    if (canNotEditTasks(group, user)) throw new NotAuthorized(res.t('onlyGroupLeaderCanEditTasks'));
+    if (!group || user.guilds.concat(user.party._id).indexOf(group._id) === -1) {
+      throw new NotFound(res.t('groupNotFound'));
+    }
+    if (task.group.assignedUsers.length !== 0
+      && task.group.assignedUsers.indexOf(user._id) === -1) {
+      throw new BadRequest('Use /group/:groupId/tasks/:taskId/move/to/:position route');
+    }
 
   // If the task belongs to a challenge make sure the user has rights
   } else if (task.challenge.id && !task.userId) {