diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 611b7803..3868f5a5 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -3266,6 +3266,9 @@ class UsersController < ApplicationController
   end
 
   def edit
+    unless User.current.admin?
+      render_403
+    end
     @auth_sources = AuthSource.all
     @membership ||= Member.new
   end
@@ -3282,6 +3285,9 @@ class UsersController < ApplicationController
   end
 
   def update
+    unless User.current.admin?
+      render_403
+    end
     @user.admin = params[:user][:admin] if params[:user][:admin]
     @user.login = params[:user][:login] if params[:user][:login]
     if params[:user][:password].present? && (@user.auth_source_id.nil? || params[:user][:auth_source_id].blank?)