diff --git a/CHANGELOG b/CHANGELOG
index e6e92cc4d..f0b1a4085 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -106,6 +106,8 @@
 - remove empty lines at end of view/bootstrap/class.*.php files (Closes #329)
 - make sure contentDir ends with DIRECTORY_SEPARATOR (Closes #323)
 - minor improvements of installation
+- better checking in out/*.php for allowed operation (e.g. EditOnline,
+  RemoveVersion, SetReviewersApprovers, ...)
 
 --------------------------------------------------------------------------------
                      Changes in version 4.3.35
diff --git a/inc/inc.ClassAccessOperation.php b/inc/inc.ClassAccessOperation.php
index 1a7afeb65..d6a84931b 100644
--- a/inc/inc.ClassAccessOperation.php
+++ b/inc/inc.ClassAccessOperation.php
@@ -61,9 +61,12 @@ class SeedDMS_AccessOperation {
 	 * document may delete versions. The admin may even delete a version
 	 * even if is disallowed in the settings.
 	 */
-	function mayEditVersion() { /* {{{ */
+	function mayEditVersion($vno=0) { /* {{{ */
 		if(get_class($this->obj) == $this->dms->getClassname('document')) {
-			$version = $this->obj->getLatestContent();
+			if($vno)
+				$version = $this->obj->getContentByVersion($vno);
+			else
+				$version = $this->obj->getLatestContent();
 			if (!isset($this->settings->_editOnlineFileTypes) || !is_array($this->settings->_editOnlineFileTypes) || !in_array(strtolower($version->getFileType()), $this->settings->_editOnlineFileTypes))
 				return false;
 			if ($this->obj->getAccessMode($this->user) == M_ALL || $this->user->isAdmin()) {
diff --git a/out/out.EditAttributes.php b/out/out.EditAttributes.php
index bb18d31ed..cb7e72ddb 100644
--- a/out/out.EditAttributes.php
+++ b/out/out.EditAttributes.php
@@ -48,6 +48,9 @@ $folder = $document->getFolder();
 
 /* Create object for checking access to certain operations */
 $accessop = new SeedDMS_AccessOperation($dms, $document, $user, $settings);
+if(!$accessop->mayEditAttributes()) {
+	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied"));
+}
 
 $attrdefs = $dms->getAllAttributeDefinitions(array(SeedDMS_Core_AttributeDefinition::objtype_documentcontent, SeedDMS_Core_AttributeDefinition::objtype_all));
 
diff --git a/out/out.EditComment.php b/out/out.EditComment.php
index b62980ef8..d8b7d29b6 100644
--- a/out/out.EditComment.php
+++ b/out/out.EditComment.php
@@ -53,6 +53,9 @@ $folder = $document->getFolder();
 
 /* Create object for checking access to certain operations */
 $accessop = new SeedDMS_AccessOperation($dms, $document, $user, $settings);
+if(!$accessop->mayEditComment()) {
+	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied"));
+}
 
 $tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME']));
 $view = UI::factory($theme, $tmp[1], array('dms'=>$dms, 'user'=>$user));
diff --git a/out/out.EditOnline.php b/out/out.EditOnline.php
index 747399016..780c035d0 100644
--- a/out/out.EditOnline.php
+++ b/out/out.EditOnline.php
@@ -55,6 +55,7 @@ if(isset($_GET["version"])) {
 	$lc = $document->getLatestContent();
 
 }	else {
+	$version = 0;
 	$content = $document->getLatestContent();
 	$lc = $document->getLatestContent();
 }
@@ -76,6 +77,9 @@ if (!isset($settings->_editOnlineFileTypes) || !is_array($settings->_editOnlineF
 
 /* Create object for checking access to certain operations */
 $accessop = new SeedDMS_AccessOperation($dms, $document, $user, $settings);
+if(!$accessop->mayEditVersion($version)) {
+	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied"));
+}
 
 $folder = $document->getFolder();
 
diff --git a/out/out.OverrideContentStatus.php b/out/out.OverrideContentStatus.php
index 4470efc5d..d8141dcde 100644
--- a/out/out.OverrideContentStatus.php
+++ b/out/out.OverrideContentStatus.php
@@ -52,17 +52,13 @@ if (!is_object($content)) {
 	UI::exitError(getMLText("document_title", array("documentname" => htmlspecialchars($document->getName()))),getMLText("invalid_version"));
 }
 
-$overallStatus = $content->getStatus();
-
-// status change control
-if ($overallStatus["status"] == S_REJECTED || $overallStatus["status"] == S_EXPIRED || $overallStatus["status"] == S_DRAFT_REV || $overallStatus["status"] == S_DRAFT_APP ) {
-	UI::exitError(getMLText("document_title", array("documentname" => htmlspecialchars($document->getName()))),getMLText("cannot_change_final_states"));
-}
-
 $folder = $document->getFolder();
 
 /* Create object for checking access to certain operations */
 $accessop = new SeedDMS_AccessOperation($dms, $document, $user, $settings);
+if(!$accessop->mayOverwriteStatus()) {
+	UI::exitError(getMLText("document_title", array("documentname" => htmlspecialchars($document->getName()))),getMLText("cannot_change_final_states"));
+}
 
 $tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME']));
 $view = UI::factory($theme, $tmp[1], array('dms'=>$dms, 'user'=>$user));
diff --git a/out/out.RemoveVersion.php b/out/out.RemoveVersion.php
index 1131bceb6..500e6dbe8 100644
--- a/out/out.RemoveVersion.php
+++ b/out/out.RemoveVersion.php
@@ -62,6 +62,9 @@ $folder = $document->getFolder();
 
 /* Create object for checking access to certain operations */
 $accessop = new SeedDMS_AccessOperation($dms, $document, $user, $settings);
+if(!$accessop->mayRemoveVersion()) {
+	UI::exitError(getMLText("document_title", array("documentname" => htmlspecialchars($document->getName()))),getMLText("access_denied"));
+}
 
 $tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME']));
 $view = UI::factory($theme, $tmp[1], array('dms'=>$dms, 'user'=>$user));
diff --git a/out/out.SetReviewersApprovers.php b/out/out.SetReviewersApprovers.php
index 4ba1e6f45..6a39b4b5c 100644
--- a/out/out.SetReviewersApprovers.php
+++ b/out/out.SetReviewersApprovers.php
@@ -57,15 +57,13 @@ if(!$settings->_enableVersionModification) {
 	UI::exitError(getMLText("document_title", array("documentname" => htmlspecialchars($document->getName()))),getMLText("no_version_modification"));
 }
 
-$overallStatus = $content->getStatus();
-if ($overallStatus["status"]!=S_DRAFT_REV && $overallStatus["status"]!=S_DRAFT_APP) {
-	UI::exitError(getMLText("document_title", array("documentname" => htmlspecialchars($document->getName()))),getMLText("cannot_assign_invalid_state"));
-}
-
 $folder = $document->getFolder();
 
 /* Create object for checking access to certain operations */
 $accessop = new SeedDMS_AccessOperation($dms, $document, $user, $settings);
+if(!$accessop->maySetReviewersApprovers()) {
+	UI::exitError(getMLText("document_title", array("documentname" => htmlspecialchars($document->getName()))),getMLText("cannot_assign_invalid_state"));
+}
 
 $tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME']));
 $view = UI::factory($theme, $tmp[1], array('dms'=>$dms, 'user'=>$user));
diff --git a/out/out.SetWorkflow.php b/out/out.SetWorkflow.php
index 3e044e776..90405d395 100644
--- a/out/out.SetWorkflow.php
+++ b/out/out.SetWorkflow.php
@@ -53,6 +53,9 @@ $folder = $document->getFolder();
 
 /* Create object for checking access to certain operations */
 $accessop = new SeedDMS_AccessOperation($dms, $document, $user, $settings);
+if(!$accessop->maySetWorkflow()) {
+	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied"));
+}
 
 $tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME']));
 $view = UI::factory($theme, $tmp[1], array('dms'=>$dms, 'user'=>$user));