diff --git a/r2/r2/controllers/api.py b/r2/r2/controllers/api.py
index 48dca04d2..12fd8602e 100755
--- a/r2/r2/controllers/api.py
+++ b/r2/r2/controllers/api.py
@@ -3303,6 +3303,9 @@ class ApiController(RedditController, OAuth2ResourceController):
                    remember=VBoolean("remember"),
                    dest=VDestination())
     def POST_adminon(self, form, jquery, remember, dest):
+        if c.user.name not in g.admins:
+            self.abort403()
+
         if form.has_errors('password', errors.WRONG_PASSWORD):
             return