diff --git a/packages/backend/src/the_api.ts b/packages/backend/src/the_api.ts
index 05875e9..4d0f3d7 100644
--- a/packages/backend/src/the_api.ts
+++ b/packages/backend/src/the_api.ts
@@ -1,6 +1,6 @@
 import { AttachmentId, PieceId, RepertoireId, Sha256 } from "common";
 import api, { NotFound, Role, Unauthorized } from "common/the_api";
-import { DateTime, Effect, HashSet, Option, pipe } from "effect";
+import { DateTime, Effect, HashSet, Number, Option, pipe } from "effect";
 import { sql } from "kysely";
 import { implement } from "./api";
 import * as Authentication from "./services/Authentication";
@@ -17,7 +17,11 @@ const requireAuthenticated = pipe(
 const requireReadAccess = pipe(
 	Authentication.Authentication,
 	Effect.flatMap(({ me }) => me),
-	Effect.flatMap((user) => HashSet.isSubset(user.roles, READ_ACCESS)
+	Effect.flatMap((user) => pipe(
+		HashSet.intersection(user.roles, READ_ACCESS),
+		HashSet.size,
+		Number.greaterThan(0),
+	)
 		? Effect.succeed(user)
 		: Effect.fail(Unauthorized.make())
 	),
@@ -26,7 +30,11 @@ const requireReadAccess = pipe(
 const requireWriteAccess = pipe(
 	Authentication.Authentication,
 	Effect.flatMap(({ me }) => me),
-	Effect.flatMap((user) => HashSet.isSubset(user.roles, WRITE_ACCESS)
+	Effect.flatMap((user) => pipe(
+		HashSet.intersection(user.roles, WRITE_ACCESS),
+		HashSet.size,
+		Number.greaterThan(0),
+	)
 		? Effect.succeed(user)
 		: Effect.fail(Unauthorized.make())
 	),