From 1ad78af5a01cee8360e963018526540edad168a1 Mon Sep 17 00:00:00 2001
From: Zoey <zoey@z0ey.de>
Date: Sun, 26 Apr 2026 14:14:30 +0200
Subject: [PATCH] fix #5441

---
 backend/internal/user.js | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/backend/internal/user.js b/backend/internal/user.js
index d13931d54a..fad0de2838 100644
--- a/backend/internal/user.js
+++ b/backend/internal/user.js
@@ -87,7 +87,13 @@ const internalUser = {
 		}
 
 		return access
-			.can("users:update", data.id)
+			.can("users:permissions", data.id)
+			.catch(() => {
+				delete data.roles;
+			})
+			.then(() => {
+				return access.can("users:update", data.id);
+			})
 			.then(() => {
 				// Make sure that the user being updated doesn't change their email to another user that is already using it
 				// 1. get user we want to update