diff --git a/docs/changelog/6.x.x.txt b/docs/changelog/6.x.x.txt
index f207cab3d..33b911560 100644
--- a/docs/changelog/6.x.x.txt
+++ b/docs/changelog/6.x.x.txt
@@ -1,4 +1,5 @@
 6.99.4
+ - fix: SQLForm - added missing privilege check
  - fix: typo in spectre 
  - fixed a bug where a user could transfer a negative amount of karma to a
    thread and actually gain karma from the thread.
diff --git a/lib/WebGUI/Asset/Wobject/SQLForm.pm b/lib/WebGUI/Asset/Wobject/SQLForm.pm
index 713d67052..4c911bac4 100644
--- a/lib/WebGUI/Asset/Wobject/SQLForm.pm
+++ b/lib/WebGUI/Asset/Wobject/SQLForm.pm
@@ -1430,6 +1430,8 @@ Will mark the 'deleted' field identified by the id given in the form param 'fid'
 sub www_enableField {
 	my $self = shift;
 
+	return $self->session->privilege->insufficient() unless ($self->_canAlterTable);
+
 	$self->session->db->write('delete from SQLForm_fieldDefinitions '.
 		' where property="disabled" and assetId='.$self->session->db->quote($self->getId).' and fieldId='.$self->session->db->quote($self->session->form->process("fid")));