diff --git a/internal/controllers/membershipController.go b/internal/controllers/membershipController.go
index 263f9c0..19c0441 100644
--- a/internal/controllers/membershipController.go
+++ b/internal/controllers/membershipController.go
@@ -36,7 +36,7 @@ func (mc *MembershipController) RegisterSubscription(c *gin.Context) {
 		return
 	}
 
-	if !utils.HasPrivilige(requestUser, constants.Priviliges.Update) {
+	if !utils.HasPrivilige(requestUser, constants.Priviliges.Create) {
 		utils.RespondWithError(c, errors.ErrNotAuthorized, "Not allowed to register subscription", http.StatusForbidden, "user.user", "server.error.unauthorized")
 		return
 	}
@@ -118,7 +118,7 @@ func (mc *MembershipController) DeleteSubscription(c *gin.Context) {
 		return
 	}
 
-	if !utils.HasPrivilige(requestUser, constants.Priviliges.Update) {
+	if !utils.HasPrivilige(requestUser, constants.Priviliges.Delete) {
 		utils.RespondWithError(c, errors.ErrNotAuthorized, "Not allowed to update subscription", http.StatusForbidden, "user.user", "server.error.unauthorized")
 		return
 	}
diff --git a/internal/controllers/user_controller.go b/internal/controllers/user_controller.go
index b411b2c..3f2a39c 100644
--- a/internal/controllers/user_controller.go
+++ b/internal/controllers/user_controller.go
@@ -45,6 +45,17 @@ func (uc *UserController) CurrentUserHandler(c *gin.Context) {
 }
 
 func (uc *UserController) GetAllUsers(c *gin.Context) {
+
+	requestUser, err := uc.ExtractUserFromContext(c)
+	if err != nil {
+		utils.RespondWithError(c, err, "Error extracting user from context in UpdateHandler", http.StatusBadRequest, "general", "server.validation.no_auth_tokenw")
+		return
+	}
+	if requestUser.RoleID == constants.Roles.Member {
+		utils.RespondWithError(c, errors.ErrNotAuthorized, "Not allowed to update user", http.StatusForbidden, "user.user", "server.error.unauthorized")
+		return
+	}
+
 	users, err := uc.Service.GetUsers(nil)
 	if err != nil {
 		utils.RespondWithError(c, err, "Error getting users in GetAllUsers", http.StatusInternalServerError, "user.user", "server.error.internal_server_error")
@@ -116,7 +127,7 @@ func (uc *UserController) DeleteUser(c *gin.Context) {
 		return
 	}
 
-	if !utils.HasPrivilige(requestUser, constants.Priviliges.Update) && data.User.ID != requestUser.ID {
+	if !utils.HasPrivilige(requestUser, constants.Priviliges.Delete) && data.User.ID != requestUser.ID {
 		utils.RespondWithError(c, errors.ErrNotAuthorized, "Not allowed to delete user", http.StatusForbidden, "user.user", "server.error.unauthorized")
 		return
 	}