diff --git a/app/controllers/groups_controller.rb b/app/controllers/groups_controller.rb
index 6ed3b2ed3..b8f3ae8e1 100644
--- a/app/controllers/groups_controller.rb
+++ b/app/controllers/groups_controller.rb
@@ -35,15 +35,23 @@ def update
   api :POST, '/groups/:id/add_card', 'Add a credit card that pays for the group'
   def add_card
     group = Group.find(params[:id])
-    group.add_card(params[:stripeEmail], params[:stripeToken])
-    render status: 200, nothing: true
+    if current_user.is_admin_for?(group)
+      group.add_card(params[:stripeEmail], params[:stripeToken])
+      render status: 200, nothing: true
+    else
+      render status: 403, nothing: true
+    end
   end
 
   api :POST, '/groups/:id/extend_trial', 'Extend the group trial by 30 days'
   def extend_trial
     group = Group.find(params[:id])
-    group.extend_trial()
-    render status: 200, nothing: true
+    if current_user.is_admin_for?(group)
+      group.extend_trial()
+      render status: 200, nothing: true
+    else
+      render status: 403, nothing: true
+    end
   end
 
   private