diff --git a/admin/ajax/user.php b/admin/ajax/user.php
index bf9099d..7ed062c 100644
--- a/admin/ajax/user.php
+++ b/admin/ajax/user.php
@@ -33,6 +33,10 @@ if ($_SERVER["REQUEST_METHOD"] == "PATCH" || $_SERVER["REQUEST_METHOD"] == "POST
                 // create new user, but user exists
                 send_error(409, "userexists");
             }
+            // you cannot modify data of those with higher permission than you
+            if ($target_user->level > $user->level) {
+            	send_error(403, "nopermission");
+            }
         } catch (NoUserException $e) {
             if ($_SERVER["REQUEST_METHOD"] == "PATCH") {
                 // modify one that not exist -> error