diff --git a/src/model/user.rs b/src/model/user.rs
index e79c8fc..c13535a 100644
--- a/src/model/user.rs
+++ b/src/model/user.rs
@@ -968,22 +968,18 @@ macro_rules! special_user {
             }
         }
     };
-
     (@check_roles $user:ident, $db:ident, $(+$role:expr),* $(,-$neg_role:expr)*) => {
         {
+            let mut has_positive_role = false;
             $(
-                if !$user.has_role($db, $role).await {
-                    false
-                } else
+                if $user.has_role($db, $role).await {
+                    has_positive_role = true;
+                }
             )*
+            has_positive_role
             $(
-                if $user.has_role($db, $neg_role).await {
-                    false
-                } else
+                && !$user.has_role($db, $neg_role).await
             )*
-            {
-                true
-            }
         }
     };
 }
@@ -996,6 +992,7 @@ special_user!(DonauLinzUser, +"Donau Linz", -"Unterstützend", -"Förderndes Mit
 special_user!(SchnupperBetreuerUser, +"schnupper-betreuer");
 special_user!(VorstandUser, +"Vorstand");
 special_user!(EventUser, +"manage_events");
+special_user!(AllowedToEditPaymentStatusUser, +"kassier", +"admin");
 
 #[derive(FromRow, Serialize, Deserialize, Clone, Debug)]
 pub struct UserWithRolesAndMembershipPdf {
diff --git a/src/tera/admin/user.rs b/src/tera/admin/user.rs
index 9d12ece..0cf1e8a 100644
--- a/src/tera/admin/user.rs
+++ b/src/tera/admin/user.rs
@@ -7,8 +7,8 @@ use crate::{
         logbook::Logbook,
         role::Role,
         user::{
-            AdminUser, User, UserWithDetails, UserWithMembershipPdf, UserWithRolesAndMembershipPdf,
-            VorstandUser,
+            AdminUser, AllowedToEditPaymentStatusUser, User, UserWithDetails,
+            UserWithMembershipPdf, UserWithRolesAndMembershipPdf, VorstandUser,
         },
     },
     tera::Config,
@@ -110,7 +110,7 @@ async fn index_admin(
 #[get("/user/fees")]
 async fn fees(
     db: &State<SqlitePool>,
-    admin: VorstandUser,
+    user: AllowedToEditPaymentStatusUser,
     flash: Option<FlashMessage<'_>>,
 ) -> Template {
     let mut context = Context::new();
@@ -130,7 +130,7 @@ async fn fees(
     }
     context.insert(
         "loggedin_user",
-        &UserWithDetails::from_user(admin.into_inner(), db).await,
+        &UserWithDetails::from_user(user.into_inner(), db).await,
     );
 
     Template::render("admin/user/fees", context.into_json())
@@ -170,7 +170,7 @@ async fn scheckbuch(
 #[get("/user/fees/paid?<user_ids>")]
 async fn fees_paid(
     db: &State<SqlitePool>,
-    admin: AdminUser,
+    calling_user: AllowedToEditPaymentStatusUser,
     user_ids: Vec<i32>,
     referer: Referer,
 ) -> Flash<Redirect> {
@@ -181,7 +181,10 @@ async fn fees_paid(
         if user.has_role(db, "paid").await {
             Log::create(
                 db,
-                format!("{} set fees NOT paid for '{}'", admin.user.name, user.name),
+                format!(
+                    "{} set fees NOT paid for '{}'",
+                    calling_user.user.name, user.name
+                ),
             )
             .await;
             user.remove_role(db, &Role::find_by_name(db, "paid").await.unwrap())
@@ -189,7 +192,10 @@ async fn fees_paid(
         } else {
             Log::create(
                 db,
-                format!("{} set fees paid for '{}'", admin.user.name, user.name),
+                format!(
+                    "{} set fees paid for '{}'",
+                    calling_user.user.name, user.name
+                ),
             )
             .await;
             user.add_role(db, &Role::find_by_name(db, "paid").await.unwrap())