diff --git a/web/ajax/log.php b/web/ajax/log.php
index fea9f34ea..87610c2c4 100644
--- a/web/ajax/log.php
+++ b/web/ajax/log.php
@@ -18,9 +18,8 @@ if (!isset($_REQUEST['task'])) {
   }
 } else if ($_REQUEST['task'] == 'create' ) {
   global $user;
-  if (!$user) {
-    // We allow any logged in user to create logs. This opens us up to DOS by malicious user
-    $message = 'Insufficient permissions to view log entries for user '.$user['Username'];
+  if (!$user or (!canEdit('System') and !ZM_LOG_INJECT)) {
+    $message = 'Insufficient permissions to create log entries for user '.$user['Username'];
   } else {
     createRequest();
   }