diff --git a/seeds.sql b/seeds.sql
index f1e1acd..caa32a2 100644
--- a/seeds.sql
+++ b/seeds.sql
@@ -13,6 +13,7 @@ INSERT INTO "role" (name) VALUES ('kassier');
 INSERT INTO "role" (name) VALUES ('schriftfuehrer');
 INSERT INTO "role" (name) VALUES ('no-einschreibgebuehr');
 INSERT INTO "role" (name) VALUES ('schnupper-betreuer');
+INSERT INTO "role" (name) VALUES ('allow_website_login');
 INSERT INTO "user" (name, pw) VALUES('admin', '$argon2id$v=19$m=19456,t=2,p=1$dS/X5/sPEKTj4Rzs/CuvzQ$4P4NCw4Ukhv80/eQYTsarHhnw61JuL1KMx/L9dm82YM');
 INSERT INTO "user_role" (user_id, role_id) VALUES(1,1);
 INSERT INTO "user_role" (user_id, role_id) VALUES(1,2);
diff --git a/src/tera/mod.rs b/src/tera/mod.rs
index e49e053..314483b 100644
--- a/src/tera/mod.rs
+++ b/src/tera/mod.rs
@@ -106,10 +106,18 @@ async fn steering(db: &State<SqlitePool>, user: User, flash: Option<FlashMessage
 
 #[post("/", data = "<login>")]
 async fn wikiauth(db: &State<SqlitePool>, login: Form<LoginForm<'_>>) -> String {
-    match User::login(db, login.name, login.password).await {
-        Ok(_) => "SUCC".into(),
-        Err(_) => "FAIL".into(),
+    if let Ok(user) = User::login(db, login.name, login.password).await {
+        if user.has_role(db, "allow_website_login").await {
+            return String::from("SUCC");
+        }
+        if user.has_role(db, "admin").await {
+            return String::from("SUCC");
+        }
+        if user.has_role(db, "Vorstand").await {
+            return String::from("SUCC");
+        }
     }
+    "FAIL".into()
 }
 
 #[catch(401)] //Unauthorized
diff --git a/staging-diff.sql b/staging-diff.sql
index 6fb21fc..e4387f2 100644
--- a/staging-diff.sql
+++ b/staging-diff.sql
@@ -3,3 +3,35 @@ INSERT INTO user(name) VALUES('Marie');
 INSERT INTO "user_role" (user_id, role_id) VALUES((SELECT id from user where name = 'Marie'),(SELECT id FROM role where name = 'Donau Linz'));
 INSERT INTO user(name) VALUES('Philipp');
 INSERT INTO "user_role" (user_id, role_id) VALUES((SELECT id from user where name = 'Philipp'),(SELECT id FROM role where name = 'Donau Linz'));
+
+ALTER TABLE "role" ADD COLUMN "cluster" text;
+CREATE TRIGGER IF NOT EXISTS prevent_multiple_roles_same_cluster
+BEFORE INSERT ON user_role
+BEGIN
+    SELECT CASE 
+        WHEN EXISTS (
+            SELECT 1
+            FROM user_role ur
+            JOIN role r1 ON ur.role_id = r1.id
+            JOIN role r2 ON r1."cluster" = r2."cluster"
+            WHERE ur.user_id = NEW.user_id
+            AND r2.id = NEW.role_id
+            AND r1.id != NEW.role_id
+        )
+        THEN RAISE(ABORT, 'User already has a role in this cluster')
+    END;
+END;
+
+
+UPDATE role SET 'cluster'='skill' WHERE id=2;
+UPDATE role SET 'cluster'='membership_type' WHERE id=3;
+UPDATE role SET 'cluster'='skill' WHERE id=5;
+UPDATE role SET 'cluster'='skill' WHERE id=6;
+UPDATE role SET 'cluster'='membership_type' WHERE id=7;
+UPDATE role SET 'cluster'='financial' WHERE id=8;
+UPDATE role SET 'cluster'='membership_type' WHERE id=9;
+UPDATE role SET 'cluster'='membership_type' WHERE id=14;
+UPDATE role SET 'cluster'='financial' WHERE id=17;
+UPDATE role SET 'cluster'='financial' WHERE id=18;
+UPDATE role SET 'cluster'='membership_type' WHERE id=20;
+UPDATE role SET 'cluster'='membership_type' WHERE id=22;