From 6427eec0a7cf133b7348145fb3c7c5f89c8eb99e Mon Sep 17 00:00:00 2001
From: Stephan Richter <s.richter@srsoftware.de>
Date: Wed, 9 Jul 2025 00:36:22 +0200
Subject: [PATCH] bugfix

---
 .../src/main/java/de/srsoftware/umbrella/user/UserModule.java | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/user/src/main/java/de/srsoftware/umbrella/user/UserModule.java b/user/src/main/java/de/srsoftware/umbrella/user/UserModule.java
index bf74dae..ed3dc63 100644
--- a/user/src/main/java/de/srsoftware/umbrella/user/UserModule.java
+++ b/user/src/main/java/de/srsoftware/umbrella/user/UserModule.java
@@ -168,7 +168,7 @@ public class UserModule extends BaseHandler implements UserHelper {
 			long userId = Long.parseLong(head);
 			if (user.isEmpty()) return forbidden(ex);
 			if (!(user.get() instanceof DbUser dbUser)) return forbidden(ex);
-			if (dbUser.id() == userId || dbUser.permissions().contains(LIST_USERS)) return forbidden(ex);
+			if (!(dbUser.id() == userId || dbUser.permissions().contains(LIST_USERS))) return forbidden(ex);
 			return sendContent(ex,users.load(userId));
 		} catch (UmbrellaException e) {
 			return send(ex,e);
@@ -196,7 +196,7 @@ public class UserModule extends BaseHandler implements UserHelper {
 			userId = Long.parseLong(head);
 			DbUser editedUser = (DbUser) users.load(userId);
 
-			if (!(requestingUser.get() instanceof DbUser dbUser) || !dbUser.permissions().contains(UPDATE_USERS)) return sendContent(ex,HTTP_FORBIDDEN,"You are not allowed to update user "+editedUser.name());
+			if (!(requestingUser.get() instanceof DbUser dbUser) || !(dbUser.id() == userId || dbUser.permissions().contains(UPDATE_USERS))) return sendContent(ex,HTTP_FORBIDDEN,"You are not allowed to update user "+editedUser.name());
 
 			JSONObject json;
 			try {