diff --git a/src/routes/user/+page.server.ts b/src/routes/user/+page.server.ts
index dbc6f39..d2acb58 100644
--- a/src/routes/user/+page.server.ts
+++ b/src/routes/user/+page.server.ts
@@ -72,7 +72,7 @@ export const actions = {
 		if (locals.user.id != id 
 			&& (!Permissions.has(locals.user.permissions, Permissions.USERADMIN.EDIT)
 			   || ((password1 != null || password2 != null) && !Permissions.has(locals.user.permissions, Permissions.USERADMIN.EDIT_PASSWORD)))) {
-			//return fail(403, { message: "Unauthorized action" })
+			return fail(403, { message: "Unauthorized action" })
 		}
 
 		if (password1 != null && password2 != null && password1.length > 0 && password2.length > 0) {
@@ -84,9 +84,11 @@ export const actions = {
 				return fail(500, { message: "Database failure"})
 			}
 		}
-			
-		let permissions = null
-		permissions = ua_permissions.reduce((pv, cv) => pv | cv)
+
+		let permissions = ua_permissions.reduce((pv, cv) => pv | cv)
+		if (locals.user.id == id && locals.user.permissions != permissions) {
+			return fail(403, { message: "Cannot modify permissions for oneself" })
+		}
 
 		const updated_user = updateUser({id, name, gender, address, username, permissions})
 		SessionStore.reload_user_data(updated_user ?? locals.user)