diff --git a/counter/tests.py b/counter/tests.py
index 9e121097..996a3a2a 100644
--- a/counter/tests.py
+++ b/counter/tests.py
@@ -16,12 +16,15 @@ import json
 import re
 import string
 
+from django.core.cache import cache
 from django.test import TestCase
 from django.urls import reverse
 from django.utils import timezone
 from django.utils.timezone import timedelta
+from model_bakery import baker
 
-from club.models import Club
+from club.models import Club, Membership
+from core.baker_recipes import subscriber_user
 from core.models import User
 from counter.models import BillingInfo, Counter, Customer, Permanency, Product, Selling
 from sith.settings import SITH_MAIN_CLUB
@@ -911,3 +914,47 @@ class TestCustomerAccountId(TestCase):
         assert created is False
         assert account.account_id == "1111a"
         assert account.amount == 10
+
+
+class TestClubCounterClickAccess(TestCase):
+    @classmethod
+    def setUpTestData(cls):
+        cls.counter = baker.make(Counter, type="OFFICE")
+        cls.customer = subscriber_user.make()
+        cls.counter_url = reverse(
+            "counter:details", kwargs={"counter_id": cls.counter.id}
+        )
+        cls.click_url = reverse(
+            "counter:click",
+            kwargs={"counter_id": cls.counter.id, "user_id": cls.customer.id},
+        )
+
+        cls.user = subscriber_user.make()
+
+    def setUp(self):
+        cache.clear()
+
+    def test_anonymous(self):
+        res = self.client.get(self.click_url)
+        assert res.status_code == 403
+
+    def test_logged_in_without_rights(self):
+        self.client.force_login(self.user)
+        res = self.client.get(self.click_url)
+        assert res.status_code == 403
+        # being a member of the club, without being in the board, isn't enough
+        baker.make(Membership, club=self.counter.club, user=self.user, role=1)
+        res = self.client.get(self.click_url)
+        assert res.status_code == 403
+
+    def test_board_member(self):
+        baker.make(Membership, club=self.counter.club, user=self.user, role=3)
+        self.client.force_login(self.user)
+        res = self.client.get(self.click_url)
+        assert res.status_code == 200
+
+    def test_barman(self):
+        self.counter.sellers.add(self.user)
+        self.client.force_login(self.user)
+        res = self.client.get(self.click_url)
+        assert res.status_code == 200
diff --git a/counter/views.py b/counter/views.py
index 187d0c4a..a426c6fd 100644
--- a/counter/views.py
+++ b/counter/views.py
@@ -329,7 +329,7 @@ class CounterClick(CounterTabsMixin, CanViewMixin, DetailView):
             raise Http404
         if obj.type != "BAR" and not request.user.is_authenticated:
             raise PermissionDenied
-        if (
+        if obj.type == "BAR" and (
             "counter_token" not in request.session
             or request.session["counter_token"] != obj.token
             or len(obj.barmen_list) == 0