diff --git a/app/graphql/mutations/post/lock_post.rb b/app/graphql/mutations/post/lock_post.rb
index fa30733f35..2bb807be25 100644
--- a/app/graphql/mutations/post/lock_post.rb
+++ b/app/graphql/mutations/post/lock_post.rb
@@ -14,7 +14,7 @@ def load_post(value)
   end
 
   def authorized?(post:)
-    super(post, :update?)
+    super(post, :update_lock?)
   end
 
   def resolve(post:)
diff --git a/app/graphql/mutations/post/unlock_post.rb b/app/graphql/mutations/post/unlock_post.rb
index a37168dcf6..26a14b859d 100644
--- a/app/graphql/mutations/post/unlock_post.rb
+++ b/app/graphql/mutations/post/unlock_post.rb
@@ -14,7 +14,7 @@ def load_post(value)
   end
 
   def authorized?(post:)
-    super(post, :update?)
+    super(post, :update_lock?)
   end
 
   def resolve(post:)
diff --git a/app/policies/post_policy.rb b/app/policies/post_policy.rb
index 2d8c30a1f2..be5ee1be44 100644
--- a/app/policies/post_policy.rb
+++ b/app/policies/post_policy.rb
@@ -5,6 +5,7 @@ def update?
     return false unless user
     return false if user.has_role?(:banned)
     return true if is_admin?
+    # NOTE: this is required to be here because posts are updated through json-api
     return false if record.locked?
     return true if group && has_group_permission?(:content)
     is_owner?
@@ -36,6 +37,13 @@ def group
     record.target_group
   end
 
+  def update_lock?
+    return true if is_admin?
+    return true if group && has_group_permission(:content)
+
+    false
+  end
+
   class Scope < Scope
     def resolve
       return scope if is_admin?