diff --git a/flaschengeist/modules/auth/__init__.py b/flaschengeist/modules/auth/__init__.py
index 594bb01..1c3f036 100644
--- a/flaschengeist/modules/auth/__init__.py
+++ b/flaschengeist/modules/auth/__init__.py
@@ -76,7 +76,7 @@ def _get_sessions(access_token: Session, **kwargs):
 @login_required()
 def _delete_session(access_token, token, **kwargs):
     logger.debug("Try to delete access token {{ {} }}".format(token))
-    token = sessionController.get_session(token, access_token.user)
+    token = sessionController.get_session(token, access_token._user)
     if not token:
         logger.debug("Token not found in database!")
         # Return 403 error, so that users can not bruteforce tokens
@@ -91,7 +91,7 @@ def _delete_session(access_token, token, **kwargs):
 @login_required()
 def _get_session(token, access_token, **kwargs):
     logger.debug("get token {{ {} }}".format(token))
-    session = sessionController.get_session(token, access_token.user)
+    session = sessionController.get_session(token, access_token._user)
     if not token:
         # Return 403 error, so that users can not bruteforce tokens
         # Valid tokens from other users and invalid tokens now are looking the same
@@ -103,7 +103,7 @@ def _get_session(token, access_token, **kwargs):
 @login_required()
 def _get_assocd_user(token, access_token, **kwargs):
     logger.debug("get token {{ {} }}".format(token))
-    session = sessionController.get_session(token, access_token.user)
+    session = sessionController.get_session(token, access_token._user)
     if not token:
         # Return 403 error, so that users can not bruteforce tokens
         # Valid tokens from other users and invalid tokens now are looking the same
@@ -114,7 +114,7 @@ def _get_assocd_user(token, access_token, **kwargs):
 @auth_bp.route("/auth/<token>", methods=["PUT"])
 @login_required()
 def _set_lifetime(token, access_token, **kwargs):
-    token = sessionController.get_token(token, access_token.user)
+    token = sessionController.get_token(token, access_token._user)
     if not token:
         # Return 403 error, so that users can not bruteforce tokens
         # Valid tokens from other users and invalid tokens now are looking the same
diff --git a/flaschengeist/modules/users/__init__.py b/flaschengeist/modules/users/__init__.py
index f48cfe5..3f7cec5 100644
--- a/flaschengeist/modules/users/__init__.py
+++ b/flaschengeist/modules/users/__init__.py
@@ -62,7 +62,7 @@ def __delete_user(uid, **kwargs):
 
 @users_bp.route("/users/<uid>", methods=["PUT"])
 @login_required()
-def __edit_user(uid, **kwargs):
+def __edit_user(uid, access_token ,**kwargs):
     logger.debug("Modify information of user {{ {} }}".format(uid))
     user = userController.get_user(uid)
     data = request.get_json()
@@ -70,7 +70,7 @@ def __edit_user(uid, **kwargs):
     password = None
     new_password = data["new_password"] if "new_password" in data else None
 
-    if uid != kwargs["access_token"].user.userid:
+    if uid != access_token._user.userid:
         if not user.has_permission(_permission_edit):
             return Forbidden
     else: