diff --git a/tailbone/views/users.py b/tailbone/views/users.py
index 91c2d194..02908eb9 100644
--- a/tailbone/views/users.py
+++ b/tailbone/views/users.py
@@ -290,6 +290,11 @@ class UsersView(PrincipalMasterView):
         return user
 
     def update_roles(self, user, data):
+        if not self.has_perm('edit_roles'):
+            return
+        if 'roles' not in data:
+            return
+
         old_roles = set([r.uuid for r in user.roles])
         new_roles = data['roles']
         admin = administrator_role(self.Session())