diff --git a/openslides/motions/static/js/motions/site.js b/openslides/motions/static/js/motions/site.js
index cc0e1f1e3..7e0f0d44e 100644
--- a/openslides/motions/static/js/motions/site.js
+++ b/openslides/motions/static/js/motions/site.js
@@ -1493,7 +1493,9 @@ angular.module('OpenSlidesApp.motions.site', [
             Motion.bindOne($scope.model.parent_id, $scope, 'parent');
         }
         // ... preselect default workflow
-        $scope.model.workflow_id = Config.get('motions_workflow').value;
+        if (operator.hasPerms('motions.can_manage')) {
+            $scope.model.workflow_id = Config.get('motions_workflow').value;
+        }
         // get all form fields
         $scope.formFields = MotionForm.getFormFields(true);
 
@@ -1668,7 +1670,7 @@ angular.module('OpenSlidesApp.motions.site', [
         // set initial data for csv import
         $scope.motions = [];
 
-        // set csv 
+        // set csv
         $scope.csvConfig = {
             accept: '.csv, .txt',
             encodingOptions: ['UTF-8', 'ISO-8859-1'],
diff --git a/openslides/motions/views.py b/openslides/motions/views.py
index 29b33ade1..9c94efe95 100644
--- a/openslides/motions/views.py
+++ b/openslides/motions/views.py
@@ -83,13 +83,18 @@ class MotionViewSet(ModelViewSet):
         """
         Customized view endpoint to create a new motion.
         """
-        # Check permission to send submitter and supporter data.
-        if (not request.user.has_perm('motions.can_manage') and
-                (request.data.get('submitters_id') or request.data.get('supporters_id'))):
-            # Non-staff users are not allowed to send submitter or supporter data.
-            self.permission_denied(request)
-
-        # TODO: Should non staff users be allowed to set motions to blocks or send categories, ...? #2506
+        # Check permission to send some data.
+        if not request.user.has_perm('motions.can_manage'):
+            whitelist = (
+                'title',
+                'text',
+                'reason',
+                'comments',  # This is checked later.
+            )
+            for key in request.data.keys():
+                if key not in whitelist:
+                    # Non-staff users are allowed to send only some data.
+                    self.permission_denied(request)
 
         # Check permission to send comment data.
         if not request.user.has_perm('motions.can_see_and_manage_comments'):
diff --git a/tests/unit/motions/test_views.py b/tests/unit/motions/test_views.py
index 4687d5f1c..dd3af2608 100644
--- a/tests/unit/motions/test_views.py
+++ b/tests/unit/motions/test_views.py
@@ -1,8 +1,6 @@
 from unittest import TestCase
 from unittest.mock import MagicMock, patch
 
-from rest_framework.exceptions import PermissionDenied
-
 from openslides.motions.views import MotionViewSet
 
 
@@ -24,12 +22,6 @@ class MotionViewSetCreate(TestCase):
         self.view_instance.create(self.request)
         self.mock_serializer.save.assert_called_with(request_user=self.request.user)
 
-    @patch('openslides.motions.views.config')
-    def test_user_without_can_create_perm(self, mock_config):
-        self.request.user.has_perm.return_value = False
-        with self.assertRaises(PermissionDenied):
-            self.view_instance.create(self.request)
-
 
 class MotionViewSetUpdate(TestCase):
     """