diff --git a/user/src/main/java/de/srsoftware/umbrella/user/UserModule.java b/user/src/main/java/de/srsoftware/umbrella/user/UserModule.java
index 4a22b48..ffb966a 100644
--- a/user/src/main/java/de/srsoftware/umbrella/user/UserModule.java
+++ b/user/src/main/java/de/srsoftware/umbrella/user/UserModule.java
@@ -167,7 +167,7 @@ public class UserModule extends BaseHandler implements UserHelper {
 			long userId = Long.parseLong(head);
 			if (user.isEmpty()) return forbidden(ex);
 			if (!(user.get() instanceof DbUser dbUser)) return forbidden(ex);
-			if (dbUser.id() == userId || dbUser.permissions().contains(LIST_USERS)) return forbidden(ex);
+			if (!(dbUser.id() == userId || dbUser.permissions().contains(LIST_USERS))) return forbidden(ex);
 			return sendContent(ex,users.load(userId));
 		} catch (UmbrellaException e) {
 			return send(ex,e);
@@ -195,7 +195,7 @@ public class UserModule extends BaseHandler implements UserHelper {
 			userId = Long.parseLong(head);
 			DbUser editedUser = (DbUser) users.load(userId);
 
-			if (!(requestingUser.get() instanceof DbUser dbUser) || !dbUser.permissions().contains(UPDATE_USERS)) return sendContent(ex,HTTP_FORBIDDEN,"You are not allowed to update user "+editedUser.name());
+			if (!(requestingUser.get() instanceof DbUser dbUser) || !(dbUser.id() == userId || dbUser.permissions().contains(UPDATE_USERS))) return sendContent(ex,HTTP_FORBIDDEN,"You are not allowed to update user "+editedUser.name());
 
 			JSONObject json;
 			try {