diff --git a/pkg/service/submissions.go b/pkg/service/submissions.go
index 0b7b4e7..3ca7029 100644
--- a/pkg/service/submissions.go
+++ b/pkg/service/submissions.go
@@ -496,10 +496,25 @@ func (svc *Service) ActionSubmissionTriggerValidate(ctx context.Context, params
 		return ErrPermissionDenied
 	}
 
+	// read submission (this could be done with a transaction WHERE clause)
+	submission, err := svc.DB.Submissions().Get(ctx, params.SubmissionID)
+	if err != nil {
+		return err
+	}
+
+	has_role, err = userInfo.IsSubmitter(uint64(submission.Submitter))
+	if err != nil {
+		return err
+	}
+	// check if caller is NOT the submitter
+	if has_role {
+		return ErrPermissionDenied
+	}
+
 	// transaction
 	smap := datastore.Optional()
 	smap.Add("status_id", model.StatusValidating)
-	submission, err := svc.DB.Submissions().IfStatusThenUpdateAndGet(ctx, params.SubmissionID, []model.Status{model.StatusSubmitted, model.StatusAccepted}, smap)
+	submission, err = svc.DB.Submissions().IfStatusThenUpdateAndGet(ctx, params.SubmissionID, []model.Status{model.StatusSubmitted, model.StatusAccepted}, smap)
 	if err != nil {
 		return err
 	}