diff --git a/application/src/Controller/Admin/UserController.php b/application/src/Controller/Admin/UserController.php
index 8bbdf05ed..16fa80c16 100644
--- a/application/src/Controller/Admin/UserController.php
+++ b/application/src/Controller/Admin/UserController.php
@@ -139,6 +139,11 @@ public function editAction()
         $readResponse = $this->api()->read('users', $id);
         $user = $readResponse->getContent();
         $userEntity = $user->getEntity();
+
+        if (!$this->userIsAllowed($userEntity, 'update')) {
+            throw new Exception\PermissionDeniedException;
+        }
+
         $currentUser = $userEntity === $this->identity();
         $keys = $userEntity->getKeys();