diff --git a/server/api/controller/user.js b/server/api/controller/user.js
index 4fa8c900..876c9b0d 100644
--- a/server/api/controller/user.js
+++ b/server/api/controller/user.js
@@ -62,13 +62,9 @@ const userController = {
 
     if (!user) { return res.status(404).json({ success: false, message: 'User not found!' }) }
 
-    if (req.body.id !== req.user.id && !req.user.is_admin) {
-      return res.status(400).json({ succes: false, message: 'Not allowed' })
-    }
-
     if (!req.body.password) { delete req.body.password }
 
-    if (!user.is_active && req.body.is_active && user.recover_code) {
+    if ((!user.is_active && req.body.is_active) || user.recover_code) {
       mail.send(user.email, 'confirm', { user, config }, res.locals.settings.locale)
     }
 
@@ -89,6 +85,7 @@ const userController = {
       }
 
       req.body.is_active = false
+      req.body.is_admin = false
 
       // check email
       if (!linkify.test(req.body.email, 'email')) {
diff --git a/server/api/index.js b/server/api/index.js
index 77e83610..8e3f002a 100644
--- a/server/api/index.js
+++ b/server/api/index.js
@@ -83,7 +83,7 @@ module.exports = () => {
     api.post('/user', isAdmin, userController.create)
 
     // update user
-    api.put('/user', isAuth, userController.update)
+    api.put('/user', isAdmin, userController.update)
 
     // delete user
     api.delete('/user/:id', isAdmin, userController.remove)