diff --git a/functions/api/appeals/toggle.ts b/functions/api/appeals/toggle.ts
index d6b08b0..4e0db6e 100644
--- a/functions/api/appeals/toggle.ts
+++ b/functions/api/appeals/toggle.ts
@@ -1,5 +1,14 @@
 export async function onRequestPost(context: RequestContext) {
   const { active } = context.data.body;
+  const { permissions } = context.data.current_user;
+
+  if (!(permissions & (1 << 0)) || !(permissions & (1 << 11)))
+    return new Response('{"error":"Forbidden"}', {
+      headers: {
+        "content-type": "application/json",
+      },
+      status: 403,
+    });
 
   if (typeof active !== "boolean")
     return new Response('{"error":"Active property must be a boolean"}', {