diff --git a/src/routes/test/users-test.js b/src/routes/test/users-test.js
index da3bd6c33..8fca45ac4 100644
--- a/src/routes/test/users-test.js
+++ b/src/routes/test/users-test.js
@@ -116,7 +116,7 @@ describe('Users API', function () {
                 });
         });
 
-        it('create admin', function (done) {
+        it('create owner', function (done) {
             superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
                 .query({ setupToken: 'somesetuptoken' })
                 .send({ username: USERNAME_0, password: PASSWORD, email: EMAIL_0 })
diff --git a/src/routes/users.js b/src/routes/users.js
index a3a78d1ae..056c5ead8 100644
--- a/src/routes/users.js
+++ b/src/routes/users.js
@@ -71,6 +71,8 @@ function update(req, res, next) {
     if ('role' in req.body) {
         if (typeof req.body.role !== 'string') return next(new HttpError(400, 'role must be a string'));
         if (req.user.id === req.resource.id) return next(new HttpError(409, 'Cannot set role flag on self'));
+
+        if (users.compareRoles(req.user.role, req.body.role) < 0) return next(new HttpError(403, `role '${req.body.role}' is required but you are only '${req.user.role}'`));
     }
 
     if ('active' in req.body) {
@@ -78,7 +80,7 @@ function update(req, res, next) {
         if (req.user.id === req.resource.id) return next(new HttpError(409, 'Cannot set active flag on self'));
     }
 
-    if (users.compareRoles(req.user.role, req.body.role) < 0) return next(new HttpError(403, `role '${req.body.role}' is required but you are only '${req.user.role}'`));
+    if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but you are only '${req.user.role}'`));
 
     users.update(req.resource, req.body, auditSource.fromRequest(req), function (error) {
         if (error) return next(BoxError.toHttpError(error));