diff --git a/src/Foundation.hs b/src/Foundation.hs
index 1b013618f..97325ec8f 100644
--- a/src/Foundation.hs
+++ b/src/Foundation.hs
@@ -688,13 +688,15 @@ tagAccessPredicate AuthTutorControl = APDB $ \_ route _ -> case route of
     return Authorized
   r -> $unsupportedAuthPredicate AuthTutorControl r
 tagAccessPredicate AuthSubmissionGroup = APDB $ \mAuthId route _ -> case route of
-  CSubmissionR _ _ _ _ cID _ -> maybeT (unauthorizedI MsgUnauthorizedSubmissionSubmissionGroup) $ do
+  CSubmissionR tid ssh csh shn cID _ -> maybeT (unauthorizedI MsgUnauthorizedSubmissionSubmissionGroup) $ do
+    course <- $cachedHereBinary (tid, ssh, csh) . MaybeT . getKeyBy $ TermSchoolCourseShort tid ssh csh
+    Entity _ Sheet{..} <- $cachedHereBinary (course, shn) . MaybeT . getBy $ CourseSheet course shn
     smId <- catchIfMaybeT (const True :: CryptoIDError -> Bool) $ decrypt cID
     groups <- $cachedHereBinary cID . lift . fmap (Set.fromList . fmap E.unValue) . E.select . E.from $ \(submissionGroupUser `E.InnerJoin` submissionUser) -> do
       E.on $ submissionGroupUser E.^. SubmissionGroupUserUser E.==. submissionUser E.^. SubmissionUserUser
       E.where_ $ submissionUser E.^. SubmissionUserSubmission E.==. E.val smId
       return $ submissionGroupUser E.^. SubmissionGroupUserSubmissionGroup
-    unless (Set.null groups) $ do
+    unless (Set.null groups || isn't _RegisteredGroups sheetGrouping) $ do
       uid <- hoistMaybe mAuthId
       guardM . lift $ exists [SubmissionGroupUserUser ==. uid, SubmissionGroupUserSubmissionGroup <-. Set.toList groups]
     return Authorized