diff --git a/src/inttest/java/com/faforever/api/moderationreport/ModerationReportTest.java b/src/inttest/java/com/faforever/api/moderationreport/ModerationReportTest.java
index 3f76b24e5..c94447ccd 100644
--- a/src/inttest/java/com/faforever/api/moderationreport/ModerationReportTest.java
+++ b/src/inttest/java/com/faforever/api/moderationreport/ModerationReportTest.java
@@ -67,11 +67,22 @@ public void anonymousUserCannotCreateValidModerationReport() throws Exception {
   }
 
   @Test
-  public void canCreateValidModerationReportWithoutScopeAndRole() throws Exception {
+  public void cannotCreateValidModerationReportWithoutScopeAndRole() throws Exception {
+    mockMvc.perform(get("/data/account"));
+    mockMvc.perform(
+                   post("/data/moderationReport")
+                           .with(getOAuthTokenWithActiveUser(NO_SCOPE, NO_AUTHORITIES))
+                           .header(HttpHeaders.CONTENT_TYPE, JSON_API_MEDIA_TYPE)
+                           .content(createJsonApiContent(validModerationReport)))
+           .andExpect(status().isForbidden());
+  }
+
+  @Test
+  public void canCreateValidModerationReportWithScopeAndRole() throws Exception {
     mockMvc.perform(get("/data/account"));
     mockMvc.perform(
       post("/data/moderationReport")
-        .with(getOAuthTokenWithActiveUser(NO_SCOPE, NO_AUTHORITIES))
+        .with(getOAuthTokenWithActiveUser(OAuthScope._LOBBY, NO_AUTHORITIES))
         .header(HttpHeaders.CONTENT_TYPE, JSON_API_MEDIA_TYPE)
         .content(createJsonApiContent(validModerationReport)))
       .andExpect(status().isCreated())
@@ -103,7 +114,7 @@ public void cannotCreateReportWithoutReportedUsers() throws Exception {
       .setReportedUsers(null);
     mockMvc.perform(
       post("/data/moderationReport")
-        .with(getOAuthTokenWithActiveUser(NO_SCOPE, NO_AUTHORITIES))
+        .with(getOAuthTokenWithActiveUser(OAuthScope._LOBBY, NO_AUTHORITIES))
         .header(HttpHeaders.CONTENT_TYPE, JSON_API_MEDIA_TYPE)
         .content(createJsonApiContent(validModerationReport)))
       .andExpect(status().isBadRequest());
@@ -115,7 +126,7 @@ public void userCannotCreateReportWithoutReportDescription() throws Exception {
       .setReportDescription(null);
     mockMvc.perform(
       post("/data/moderationReport")
-        .with(getOAuthTokenWithActiveUser(NO_SCOPE, NO_AUTHORITIES))
+        .with(getOAuthTokenWithActiveUser(OAuthScope._LOBBY, NO_AUTHORITIES))
         .header(HttpHeaders.CONTENT_TYPE, JSON_API_MEDIA_TYPE)
         .content(createJsonApiContent(validModerationReport)))
       .andExpect(status().isBadRequest());
diff --git a/src/main/java/com/faforever/api/data/domain/ModerationReport.java b/src/main/java/com/faforever/api/data/domain/ModerationReport.java
index 977fd3f65..c9f891dbf 100644
--- a/src/main/java/com/faforever/api/data/domain/ModerationReport.java
+++ b/src/main/java/com/faforever/api/data/domain/ModerationReport.java
@@ -7,6 +7,7 @@
 import com.faforever.api.data.checks.Prefab;
 import com.faforever.api.data.hook.ModerationReportHook;
 import com.faforever.api.security.elide.permission.AdminModerationReportCheck;
+import com.faforever.api.security.elide.permission.LobbyCheck;
 import com.fasterxml.jackson.annotation.JsonIgnore;
 import com.yahoo.elide.annotation.Audit;
 import com.yahoo.elide.annotation.Audit.Action;
@@ -16,9 +17,6 @@
 import com.yahoo.elide.annotation.LifeCycleHookBinding;
 import com.yahoo.elide.annotation.ReadPermission;
 import com.yahoo.elide.annotation.UpdatePermission;
-import lombok.Setter;
-import lombok.ToString;
-
 import jakarta.persistence.CascadeType;
 import jakarta.persistence.Column;
 import jakarta.persistence.Entity;
@@ -35,6 +33,9 @@
 import jakarta.validation.Valid;
 import jakarta.validation.constraints.NotNull;
 import jakarta.validation.constraints.Size;
+import lombok.Setter;
+import lombok.ToString;
+
 import java.util.Collection;
 import java.util.Set;
 
@@ -49,7 +50,7 @@
 @Include(name = ModerationReport.TYPE_NAME)
 @ReadPermission(expression = IsEntityOwnerFilter.EXPRESSION + " OR " + AdminModerationReportCheck.EXPRESSION)
 @DeletePermission(expression = Prefab.NONE)
-@CreatePermission(expression = Prefab.ALL)
+@CreatePermission(expression = LobbyCheck.EXPRESSION)
 @Audit(action = Action.CREATE, logStatement = "Moderation report `{0}` has been reported", logExpressions = "${moderationReport}")
 @Audit(action = Action.UPDATE, logStatement = "Moderation report `{0}` has been updated", logExpressions = "${moderationReport}")
 @LifeCycleHookBinding(operation = CREATE, phase = PRESECURITY, hook = ModerationReportHook.class)