diff --git a/xwiki-platform-core/xwiki-platform-notifications/xwiki-platform-notifications-ui/src/main/resources/XWiki/Notifications/Code/NotificationPreferenceService.xml b/xwiki-platform-core/xwiki-platform-notifications/xwiki-platform-notifications-ui/src/main/resources/XWiki/Notifications/Code/NotificationPreferenceService.xml
index 4fa810615bb8..33ae1b9764f7 100644
--- a/xwiki-platform-core/xwiki-platform-notifications/xwiki-platform-notifications-ui/src/main/resources/XWiki/Notifications/Code/NotificationPreferenceService.xml
+++ b/xwiki-platform-core/xwiki-platform-notifications/xwiki-platform-notifications-ui/src/main/resources/XWiki/Notifications/Code/NotificationPreferenceService.xml
@@ -37,6 +37,7 @@
xwiki/2.1
true
{{velocity}}
+#set($isActionAllowed = false)
#if ("$!request.user" != "")
#if ($request.user.contains("."))
#set ($targetUser = $request.user)
@@ -47,15 +48,17 @@
#if ("$!request.target" == 'wiki')
#set ($targetDoc = $xwiki.getDocument($services.model.createDocumentReference('', ['XWiki', 'Notifications', 'Code'], 'NotificationAdministration')))
#set ($targetRef = $services.wiki.getCurrentWikiReference())
+ #set($isActionAllowed = $hasAdmin)
#elseif ("$!request.target" == 'user')
#set ($targetDoc = $xwiki.getDocument($targetUser))
- #set ($targetRef = $targetUser)
+ #set ($targetRef = $services.model.resolveDocument($targetUser))
+ #set($isActionAllowed = ($services.security.authorization.hasAccess('admin', $requestedUserDocRef) || $xcontext.userReference.equals($targetRef)))
#end
#if ("$!request.action" == "" && $request.method.equalsIgnoreCase('get'))
This is a technical page for Notifications macro.
#elseif (!$services.csrf.isTokenValid($request.csrf))
#set ($discard = $response.sendError(401, $services.localization.render('notifications.settings.error.badCSRF')))
-#elseif ("$!request.target" == 'wiki' && !$hasAdmin)
+#elseif (!$isActionAllowed)
#set ($discard = $response.sendError(401))
#elseif ("$!request.action" == "" || "$!request.target" == "" || ("$!request.target" == 'user' && "$!request.user" == ""))
#set ($discard = $response.sendError(400, $services.localization.render('notifications.settings.error.badParameters')))