diff --git a/flaschengeist/controller/userController.py b/flaschengeist/controller/userController.py
index 9106032..dc9aa43 100644
--- a/flaschengeist/controller/userController.py
+++ b/flaschengeist/controller/userController.py
@@ -28,12 +28,12 @@ def update_user(user):
 
 
 def set_roles(user: User, roles: [str]):
-    user.roles.clear()
+    user.roles_.clear()
     for role_name in roles:
         role = Role.query.filter(Role.name == role_name).one_or_none()
         if not role:
             raise BadRequest("Role not found >{}<".format(role_name))
-        user.roles.append(role)
+        user.roles_.append(role)
 
 
 def modify_user(user, password, new_password=None):
@@ -56,7 +56,7 @@ def get_users():
 
 
 def get_user_by_role(role: Role):
-    return User.query.join(User.roles).filter_by(role_id=role.id).all()
+    return User.query.join(User.roles_).filter_by(role_id=role.id).all()
 
 
 def get_user(uid):
diff --git a/flaschengeist/models/user.py b/flaschengeist/models/user.py
index 4166cc7..fe55ee8 100644
--- a/flaschengeist/models/user.py
+++ b/flaschengeist/models/user.py
@@ -53,14 +53,19 @@ class User(db.Model, ModelSerializeMixin):
     firstname: str = db.Column(db.String(30))
     lastname: str = db.Column(db.String(30))
     mail: str = db.Column(db.String(30))
-    roles: [Role] = db.relationship("Role", secondary=association_table)
+    roles: [str] = []
 
+    roles_: [Role] = db.relationship("Role", secondary=association_table)
     _id = db.Column("id", db.Integer, primary_key=True)
     _sessions = db.relationship("Session", back_populates="_user")
     _attributes = db.relationship(
         "_UserAttribute", collection_class=attribute_mapped_collection("name"), cascade="all, delete"
     )
 
+    @property
+    def roles(self):
+        return [role.name for role in self.roles_]
+
     def set_attribute(self, name, value):
         if name in self._attributes:
             self._attributes[name].value = value
@@ -76,7 +81,7 @@ class User(db.Model, ModelSerializeMixin):
         return default
 
     def get_permissions(self):
-        return ["user"] + [permission.name for role in self.roles for permission in role.permissions]
+        return ["user"] + [permission.name for role in self.roles_ for permission in role.permissions]
 
     def has_permission(self, permission):
         return permission in self.get_permissions()
diff --git a/flaschengeist/plugins/auth/__init__.py b/flaschengeist/plugins/auth/__init__.py
index 9889e04..8bd867f 100644
--- a/flaschengeist/plugins/auth/__init__.py
+++ b/flaschengeist/plugins/auth/__init__.py
@@ -49,7 +49,7 @@ def login():
 
     # Lets cleanup the DB
     sessionController.clear_expired()
-    return {"session": session, "user": user}, CREATED
+    return {"session": session, "user": user, "permissions": user.get_permissions()}, CREATED
 
 
 @auth_bp.route("/auth", methods=["GET"])
diff --git a/flaschengeist/plugins/users/__init__.py b/flaschengeist/plugins/users/__init__.py
index 87875cf..ef7a7d7 100644
--- a/flaschengeist/plugins/users/__init__.py
+++ b/flaschengeist/plugins/users/__init__.py
@@ -9,6 +9,7 @@ from flask import Blueprint, request, jsonify, make_response
 from werkzeug.exceptions import BadRequest, Forbidden, MethodNotAllowed
 
 from flaschengeist import logger
+from flaschengeist.models.user import User
 from flaschengeist.plugins import Plugin
 from flaschengeist.decorator import login_required, extract_session
 from flaschengeist.controller import userController
@@ -81,11 +82,14 @@ def get_user(userid, current_session):
         current_session: Session sent with Authorization Header
 
     Returns:
-        JSON encoded `flaschengeist.models.user.User` or HTTP error
+        JSON encoded `flaschengeist.models.user.User` or if userid is current user also containing permissions or HTTP error
     """
     logger.debug("Get information of user {{ {} }}".format(userid))
-    user = userController.get_user(userid)
-    return jsonify(user)
+    user: User = userController.get_user(userid)
+    serial = user.serialize()
+    if (userid == current_session._user.userid):
+        serial['permissions'] = user.get_permissions()
+    return jsonify(serial)
 
 
 @users_bp.route("/users/<userid>", methods=["DELETE"])
@@ -132,9 +136,11 @@ def edit_user(userid, current_session):
     password = None
     new_password = data["new_password"] if "new_password" in data else None
 
+    author = user
     if userid != current_session._user.userid:
-        if not user.has_permission(_permission_edit):
-            return Forbidden
+        author = current_session._user
+        if not author.has_permission(_permission_edit):
+            raise Forbidden
     else:
         if "password" not in data:
             raise BadRequest("Password is missing")
@@ -145,7 +151,7 @@ def edit_user(userid, current_session):
             setattr(user, key, data[key])
 
     if "roles" in data:
-        if not user.has_permission(_permission_set_roles):
+        if not author.has_permission(_permission_set_roles):
             raise Forbidden
         userController.set_roles(user, data["roles"])