diff --git a/internal/api/handler/handler_test.go b/internal/api/handler/handler_test.go
index 334b45b..b8fa711 100644
--- a/internal/api/handler/handler_test.go
+++ b/internal/api/handler/handler_test.go
@@ -699,18 +699,18 @@ func TestUserHandler_UpdateUserStatus_RequiresAdmin(t *testing.T) {
 	}
 }
 
-func TestUserHandler_GetUserRoles_Success(t *testing.T) {
+func TestUserHandler_GetUserRoles_ForbiddenForRegularUser(t *testing.T) {
 	server, cleanup := setupHandlerTestServer(t)
 	defer cleanup()
 
-	registerUser(server.URL, "rolesadmin", "rolesadmin@test.com", "AdminPass123!")
-	token := getToken(server.URL, "rolesadmin", "AdminPass123!")
+	registerUser(server.URL, "rolesuser", "rolesuser@test.com", "UserPass123!")
+	token := getToken(server.URL, "rolesuser", "UserPass123!")
 
 	resp, _ := doGet(server.URL+"/api/v1/users/1/roles", token)
 	defer resp.Body.Close()
 
-	if resp.StatusCode != http.StatusOK {
-		t.Errorf("expected status %d, got %d", http.StatusOK, resp.StatusCode)
+	if resp.StatusCode != http.StatusForbidden {
+		t.Errorf("expected status %d for non-admin user, got %d", http.StatusForbidden, resp.StatusCode)
 	}
 }
 
diff --git a/internal/api/router/router.go b/internal/api/router/router.go
index ec736d8..b64a70f 100644
--- a/internal/api/router/router.go
+++ b/internal/api/router/router.go
@@ -212,7 +212,7 @@ func (r *Router) Setup() *gin.Engine {
 				users.DELETE("/:id", middleware.RequirePermission("user:delete"), r.userHandler.DeleteUser)
 				users.PUT("/:id/password", r.userHandler.UpdatePassword)
 				users.PUT("/:id/status", middleware.RequirePermission("user:manage"), r.userHandler.UpdateUserStatus)
-				users.GET("/:id/roles", r.userHandler.GetUserRoles)
+				users.GET("/:id/roles", middleware.RequirePermission("user:manage"), r.userHandler.GetUserRoles)
 				users.PUT("/:id/roles", middleware.RequirePermission("user:manage"), r.userHandler.AssignRoles)
 				users.PUT("/batch/status", middleware.RequirePermission("user:manage"), r.userHandler.BatchUpdateStatus)
 				users.DELETE("/batch", middleware.RequirePermission("user:delete"), r.userHandler.BatchDelete)