This is why you put your permission checks on the resource itself, not on the link to the resource (well, in addition to, really).