diff --git a/app/Http/Controllers/Api/ApiV1Controller.php b/app/Http/Controllers/Api/ApiV1Controller.php
index 993df3555..8f41b38fb 100644
--- a/app/Http/Controllers/Api/ApiV1Controller.php
+++ b/app/Http/Controllers/Api/ApiV1Controller.php
@@ -3438,6 +3438,7 @@ class ApiV1Controller extends Controller
         $status = Status::findOrFail($id);
         $pid = $request->user()->profile_id;
 
+        abort_if($user->has_roles && !UserRoleService::can('can-bookmark', $user->id), 403, 'Invalid permissions for this action');
         abort_if($status->in_reply_to_id || $status->reblog_of_id, 404);
         abort_if(!in_array($status->scope, ['public', 'unlisted', 'private']), 404);
         abort_if(!in_array($status->type, ['photo','photo:album', 'video', 'video:album', 'photo:video:album']), 404);
@@ -3477,6 +3478,7 @@ class ApiV1Controller extends Controller
         $status = Status::findOrFail($id);
         $pid = $request->user()->profile_id;
 
+        abort_if($user->has_roles && !UserRoleService::can('can-bookmark', $user->id), 403, 'Invalid permissions for this action');
         abort_if($status->in_reply_to_id || $status->reblog_of_id, 404);
         abort_if(!in_array($status->scope, ['public', 'unlisted', 'private']), 404);
         abort_if(!in_array($status->type, ['photo','photo:album', 'video', 'video:album', 'photo:video:album']), 404);
diff --git a/app/Http/Controllers/BookmarkController.php b/app/Http/Controllers/BookmarkController.php
index a24520d64..d1d793dd2 100644
--- a/app/Http/Controllers/BookmarkController.php
+++ b/app/Http/Controllers/BookmarkController.php
@@ -8,60 +8,56 @@ use Auth;
 use Illuminate\Http\Request;
 use App\Services\BookmarkService;
 use App\Services\FollowerService;
+use App\Services\UserRoleService;
 
 class BookmarkController extends Controller
 {
-	public function __construct()
-	{
-		$this->middleware('auth');
-	}
+    public function __construct()
+    {
+        $this->middleware('auth');
+    }
 
-	public function store(Request $request)
-	{
-		$this->validate($request, [
-			'item' => 'required|integer|min:1',
-		]);
+    public function store(Request $request)
+    {
+        $this->validate($request, [
+            'item' => 'required|integer|min:1',
+        ]);
 
-		$profile = Auth::user()->profile;
-		$status = Status::findOrFail($request->input('item'));
+        $user = $request->user();
+        $status = Status::findOrFail($request->input('item'));
 
-		abort_if($status->in_reply_to_id || $status->reblog_of_id, 404);
-		abort_if(!in_array($status->scope, ['public', 'unlisted', 'private']), 404);
-		abort_if(!in_array($status->type, ['photo','photo:album', 'video', 'video:album', 'photo:video:album']), 404);
+        abort_if($user->has_roles && !UserRoleService::can('can-bookmark', $user->id), 403, 'Invalid permissions for this action');
+        abort_if($status->in_reply_to_id || $status->reblog_of_id, 404);
+        abort_if(!in_array($status->scope, ['public', 'unlisted', 'private']), 404);
+        abort_if(!in_array($status->type, ['photo','photo:album', 'video', 'video:album', 'photo:video:album']), 404);
 
-		if($status->scope == 'private') {
-			if($profile->id !== $status->profile_id && !FollowerService::follows($profile->id, $status->profile_id)) {
-				if($exists = Bookmark::whereStatusId($status->id)->whereProfileId($profile->id)->first()) {
-					BookmarkService::del($profile->id, $status->id);
-					$exists->delete();
+        if($status->scope == 'private') {
+            if($user->profile_id !== $status->profile_id && !FollowerService::follows($user->profile_id, $status->profile_id)) {
+                if($exists = Bookmark::whereStatusId($status->id)->whereProfileId($user->profile_id)->first()) {
+                    BookmarkService::del($user->profile_id, $status->id);
+                    $exists->delete();
 
-					if ($request->ajax()) {
-						return ['code' => 200, 'msg' => 'Bookmark removed!'];
-					} else {
-						return redirect()->back();
-					}
-				}
-				abort(404, 'Error: You cannot bookmark private posts from accounts you do not follow.');
-			}
-		}
+                    if ($request->ajax()) {
+                        return ['code' => 200, 'msg' => 'Bookmark removed!'];
+                    } else {
+                        return redirect()->back();
+                    }
+                }
+                abort(404, 'Error: You cannot bookmark private posts from accounts you do not follow.');
+            }
+        }
 
-		$bookmark = Bookmark::firstOrCreate(
-			['status_id' => $status->id], ['profile_id' => $profile->id]
-		);
+        $bookmark = Bookmark::firstOrCreate(
+            ['status_id' => $status->id], ['profile_id' => $user->profile_id]
+        );
 
-		if (!$bookmark->wasRecentlyCreated) {
-			BookmarkService::del($profile->id, $status->id);
-			$bookmark->delete();
-		} else {
-			BookmarkService::add($profile->id, $status->id);
-		}
+        if (!$bookmark->wasRecentlyCreated) {
+            BookmarkService::del($user->profile_id, $status->id);
+            $bookmark->delete();
+        } else {
+            BookmarkService::add($user->profile_id, $status->id);
+        }
 
-		if ($request->ajax()) {
-			$response = ['code' => 200, 'msg' => 'Bookmark saved!'];
-		} else {
-			$response = redirect()->back();
-		}
-
-		return $response;
-	}
+        return $request->expectsJson() ? ['code' => 200, 'msg' => 'Bookmark saved!'] : redirect()->back();
+    }
 }