diff --git a/middleware/permission.go b/middleware/permission.go
index cdca098..74b0c0f 100644
--- a/middleware/permission.go
+++ b/middleware/permission.go
@@ -9,28 +9,38 @@ import (
 
 func Permission(requiredLevel uint) gin.HandlerFunc {
 	return func(c *gin.Context) {
-		userIdOrig, ok := c.Get("user_id")
-		if !ok || userIdOrig.(string) == "" {
-			c.AbortWithStatusJSON(401, gin.H{"status": "missing user id"})
-			return
+		var permissionLevel uint
+		permissionLevelPrev, ok := c.Get("permission_level")
+		if !ok {
+			userIdOrig, ok := c.Get("user_id")
+			if !ok || userIdOrig.(string) == "" {
+				c.AbortWithStatusJSON(401, gin.H{"status": "missing user id"})
+				return
+			}
+
+			userId, err := uuid.Parse(userIdOrig.(string))
+			if err != nil {
+				c.AbortWithStatusJSON(500, gin.H{"status": "error parsing user id"})
+				return
+			}
+
+			userData, err := new(data.User).GetByUserId(userId)
+			if err != nil {
+				c.AbortWithStatusJSON(404, gin.H{"status": "user not found"})
+				return
+			}
+
+			permissionLevel = userData.PermissionLevel
+			c.Set("permission_level", userData.PermissionLevel)
+		} else {
+			permissionLevel = permissionLevelPrev.(uint)
 		}
 
-		userId, err := uuid.Parse(userIdOrig.(string))
-		if err != nil {
-			c.AbortWithStatusJSON(500, gin.H{"status": "error parsing user id"})
-			return
-		}
-
-		userData, err := new(data.User).GetByUserId(userId)
-		if err != nil {
-			c.AbortWithStatusJSON(404, gin.H{"status": "user not found"})
-			return
-		}
-
-		if userData.PermissionLevel < requiredLevel {
+		if permissionLevel < requiredLevel {
 			c.AbortWithStatusJSON(403, gin.H{"status": "permission denied"})
 			return
 		}
+
 		c.Next()
 	}
 }