diff --git a/functions/api/game-bans/[user]/revoke.ts b/functions/api/game-bans/[user]/revoke.ts
index 1b8453f..4f8f37d 100644
--- a/functions/api/game-bans/[user]/revoke.ts
+++ b/functions/api/game-bans/[user]/revoke.ts
@@ -3,6 +3,9 @@ import { insertLogs } from "../../../gcloud.js";
 import { jsonError } from "../../../common.js";
 
 export async function onRequestPost(context: RequestContext) {
+  if (!(context.data.current_user.permissions & (1 << 5)))
+    return jsonError("Forbidden", 403);
+
   const { ticket_link } = context.data.body;
 
   if (
diff --git a/functions/api/game-bans/_middleware.ts b/functions/api/game-bans/_middleware.ts
index 569715e..9d3ef1c 100644
--- a/functions/api/game-bans/_middleware.ts
+++ b/functions/api/game-bans/_middleware.ts
@@ -5,7 +5,8 @@ export async function onRequest(context: RequestContext) {
 
   if (!currentUser) return jsonError("Not logged in", 401);
 
-  if (!(currentUser.permissions & (1 << 5))) return jsonError("Forbidden", 403);
+  if (![1 << 5, 1 << 8].find((perm) => currentUser.permissions & perm))
+    return jsonError("Forbidden", 403);
 
   return await context.next();
 }