diff --git a/airtime_mvc/application/configs/ACL.php b/airtime_mvc/application/configs/ACL.php
index 2dbb6f5cd..f1ae5a21c 100644
--- a/airtime_mvc/application/configs/ACL.php
+++ b/airtime_mvc/application/configs/ACL.php
@@ -48,7 +48,8 @@ $ccAcl->allow('G', 'index')
       ->allow('G', 'locale')
       ->allow('G', 'upgrade')
       ->allow('G', 'downgrade')
-      ->allow('G', 'rest:media')
+      ->allow('G', 'rest:media', 'get')
+      ->allow('H', 'rest:media')
       ->allow('H', 'preference', 'is-import-in-progress')
       ->allow('H', 'usersettings')
       ->allow('H', 'plupload')
diff --git a/airtime_mvc/application/controllers/plugins/Acl_plugin.php b/airtime_mvc/application/controllers/plugins/Acl_plugin.php
index 2696fd27d..bd803ec89 100644
--- a/airtime_mvc/application/controllers/plugins/Acl_plugin.php
+++ b/airtime_mvc/application/controllers/plugins/Acl_plugin.php
@@ -123,28 +123,32 @@ class Zend_Controller_Plugin_Acl extends Zend_Controller_Plugin_Abstract
                     die();
                 }
             }
+            else  //Non-REST, regular Airtime web app requests
+            {
+                //Redirect you to the login screen since you have no session.
+                if ($controller !== 'login') {
 
-            if ($controller !== 'login') {
+                    if ($request->isXmlHttpRequest()) {
 
-                if ($request->isXmlHttpRequest()) {
+                        $url = 'http://'.$request->getHttpHost().'/login';
+                        $json = Zend_Json::encode(array('auth' => false, 'url' => $url));
 
-                    $url = 'http://'.$request->getHttpHost().'/login';
-                    $json = Zend_Json::encode(array('auth' => false, 'url' => $url));
+                        // Prepare response
+                        $this->getResponse()
+                             ->setHttpResponseCode(401)
+                             ->setBody($json)
+                             ->sendResponse();
 
-                    // Prepare response
-                    $this->getResponse()
-                         ->setHttpResponseCode(401)
-                         ->setBody($json)
-                         ->sendResponse();
-
-                    //redirectAndExit() cleans up, sends the headers and stops the script
-                    Zend_Controller_Action_HelperBroker::getStaticHelper('redirector')->redirectAndExit();
-                } else {
-                    $r = Zend_Controller_Action_HelperBroker::getStaticHelper('redirector');
-                    $r->gotoSimpleAndExit('index', 'login', $request->getModuleName());
-               }
+                        //redirectAndExit() cleans up, sends the headers and stops the script
+                        Zend_Controller_Action_HelperBroker::getStaticHelper('redirector')->redirectAndExit();
+                    } else {
+                        $r = Zend_Controller_Action_HelperBroker::getStaticHelper('redirector');
+                        $r->gotoSimpleAndExit('index', 'login', $request->getModuleName());
+                   }
+                }
             }
-        } else {
+        } else { //We have a session/identity.
+
             // If we have an identity and we're making a RESTful request,
             // we need to check the CSRF token
             if ($request->_action != "get" && $request->getModuleName() == "rest") {