diff --git a/bookwyrm/tests/views/lists/test_list.py b/bookwyrm/tests/views/lists/test_list.py
index 432f2309..5469b233 100644
--- a/bookwyrm/tests/views/lists/test_list.py
+++ b/bookwyrm/tests/views/lists/test_list.py
@@ -32,6 +32,14 @@ class ListViews(TestCase):
                 localname="mouse",
                 remote_id="https://example.com/users/mouse",
             )
+            self.rat = models.User.objects.create_user(
+                "rat@local.com",
+                "rat@rat.com",
+                "ratword",
+                local=True,
+                localname="rat",
+                remote_id="https://example.com/users/rat",
+            )
         work = models.Work.objects.create(title="Work")
         self.book = models.Edition.objects.create(
             title="Example Edition",
@@ -579,7 +587,7 @@ class ListViews(TestCase):
             {
                 "book": self.book.id,
                 "book_list": self.list.id,
-                "user": self.local_user.id,
+                "user": self.rat.id,
             },
         )
         request.user = self.rat
@@ -608,7 +616,7 @@ class ListViews(TestCase):
             {
                 "book": self.book.id,
                 "book_list": self.list.id,
-                "user": self.local_user.id,
+                "user": self.rat.id,
             },
         )
         request.user = self.rat
diff --git a/bookwyrm/views/list/list.py b/bookwyrm/views/list/list.py
index c66fe2de..4c740924 100644
--- a/bookwyrm/views/list/list.py
+++ b/bookwyrm/views/list/list.py
@@ -3,6 +3,7 @@ from typing import Optional
 from urllib.parse import urlencode
 
 from django.contrib.auth.decorators import login_required
+from django.core.exceptions import PermissionDenied
 from django.core.paginator import Paginator
 from django.db import IntegrityError, transaction
 from django.db.models import Avg, DecimalField, Q, Max
@@ -167,7 +168,13 @@ def add_book(request):
     """put a book on a list"""
     book_list = get_object_or_404(models.List, id=request.POST.get("book_list"))
     # make sure the user is allowed to submit to this list
-    book_list.raise_not_submittable(request.user)
+    book_list.raise_visible_to_user(request.user)
+
+    if request.user != book_list.user and book_list.curation == "closed":
+        raise PermissionDenied()
+    is_group_member = models.GroupMember.objects.filter(
+        group=book_list.group, user=request.user
+    ).exists()
 
     form = forms.ListItemForm(request.POST)
     if not form.is_valid():
@@ -178,7 +185,7 @@ def add_book(request):
     if book_list.curation == "curated":
         # make a pending entry at the end of the list
         order_max = (book_list.listitem_set.aggregate(Max("order"))["order__max"]) or 0
-        item.approved = False
+        item.approved = is_group_member or request.user == book_list.user
     else:
         # add the book at the latest order of approved books, before pending books
         order_max = (