diff --git a/functions/api/events-team/strikes/_middleware.ts b/functions/api/events-team/strikes/_middleware.ts
new file mode 100644
index 0000000..8c62606
--- /dev/null
+++ b/functions/api/events-team/strikes/_middleware.ts
@@ -0,0 +1,18 @@
+import { jsonError } from "../../../common.js";
+
+export async function onRequest(context: RequestContext) {
+  const { current_user: user } = context.data;
+
+  if (!user) return jsonError("Not logged in", 401);
+
+  if (![1 << 3, 1 << 4, 1 << 12].find((p) => user.permissions & p))
+    return jsonError("Not part of Events Team", 403);
+
+  if (
+    context.request.method !== "GET" &&
+    ![1 << 4, 1 << 12].find((p) => user.permissions & p)
+  )
+    return jsonError("Cannot manage strikes", 403);
+
+  return await context.next();
+}