diff --git a/packages/worker/src/api/routes/global/tests/users.spec.ts b/packages/worker/src/api/routes/global/tests/users.spec.ts
index 218bc60800..8984105c88 100644
--- a/packages/worker/src/api/routes/global/tests/users.spec.ts
+++ b/packages/worker/src/api/routes/global/tests/users.spec.ts
@@ -262,6 +262,14 @@ describe("/api/global/users", () => {
 
       expect(events.user.created).toBeCalledTimes(1)
     })
+
+    it("should not allow a non-admin user to create a new user", async () => {
+      const nonAdmin = await config.createUser(structures.users.builderUser())
+      await config.createSession(nonAdmin)
+
+      const newUser = structures.users.user()
+      await api.users.saveUser(newUser, 403, config.authHeaders(nonAdmin))
+    })
   })
 
   describe("update", () => {
@@ -418,6 +426,14 @@ describe("/api/global/users", () => {
       expect(user).toStrictEqual(dbUser)
       expect(response.body.message).toBe("Email address cannot be changed")
     })
+
+    it("should allow a non-admin user to update an existing user", async () => {
+      const existingUser = await config.createUser(structures.users.user())
+      const nonAdmin = await config.createUser(structures.users.builderUser())
+      await config.createSession(nonAdmin)
+
+      await api.users.saveUser(existingUser, 200, config.authHeaders(nonAdmin))
+    })
   })
 
   describe("bulk (delete)", () => {
diff --git a/packages/worker/src/tests/api/users.ts b/packages/worker/src/tests/api/users.ts
index 3677bfffc6..a2f26052bc 100644
--- a/packages/worker/src/tests/api/users.ts
+++ b/packages/worker/src/tests/api/users.ts
@@ -91,11 +91,11 @@ export class UserAPI {
 
   // USER
 
-  saveUser = (user: User, status?: number) => {
+  saveUser = (user: User, status?: number, headers?: any) => {
     return this.request
       .post(`/api/global/users`)
       .send(user)
-      .set(this.config.defaultHeaders())
+      .set(headers ?? this.config.defaultHeaders())
       .expect("Content-Type", /json/)
       .expect(status ? status : 200)
   }