diff --git a/services/auth.go b/services/auth.go
index a3fbe94..44a45a2 100644
--- a/services/auth.go
+++ b/services/auth.go
@@ -125,6 +125,11 @@ func (s *AuthService) CheckPermission(ctx context.Context, op string, obj interf
 	case *models.Post:
 		authorized = token.Permitted("post." + op)
 	case *models.Story:
+		if op == "tag" && v.Open {
+			authorized = true
+			break
+		}
+
 		authorized = token.PermittedUser(v.Author, "member", "story."+op)
 	case *models.User:
 		authorized = token.Permitted("user." + op)
diff --git a/services/stories.go b/services/stories.go
index da343be..550eb75 100644
--- a/services/stories.go
+++ b/services/stories.go
@@ -232,7 +232,7 @@ func (s *StoryService) EditStory(ctx context.Context, story *models.Story, name
 }
 
 func (s *StoryService) AddStoryTag(ctx context.Context, story models.Story, tag models.Tag) (*models.Story, error) {
-	if err := s.authService.CheckPermission(ctx, "edit", &story); err != nil {
+	if err := s.authService.CheckPermission(ctx, "tag", &story); err != nil {
 		return nil, err
 	}
 
@@ -249,7 +249,7 @@ func (s *StoryService) AddStoryTag(ctx context.Context, story models.Story, tag
 }
 
 func (s *StoryService) RemoveStoryTag(ctx context.Context, story models.Story, tag models.Tag) (*models.Story, error) {
-	if err := s.authService.CheckPermission(ctx, "edit", &story); err != nil {
+	if err := s.authService.CheckPermission(ctx, "tag", &story); err != nil {
 		return nil, err
 	}