diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
index e5ac6fb33..2495663d5 100644
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -94,6 +94,7 @@ services:
       DB_USER: "hangarauth"
       DB_PASSWORD: "hangarauth"
       DB_HOST: "db"
+      APP_HOST: "http://localhost:8080"
       SSO_ENDPOINT_hangar: "{ 'sync_sso_endpoint': ('http://app:8080/api/sync_sso'), 'sso_secret': 'changeme', 'api_key': 'changeme' }"
       DEBUG: "true"
       DJANGO_SETTINGS_MODULE: "spongeauth.settings.prod"
diff --git a/src/main/java/io/papermc/hangar/controller/UsersController.java b/src/main/java/io/papermc/hangar/controller/UsersController.java
index 10655863e..aae586768 100644
--- a/src/main/java/io/papermc/hangar/controller/UsersController.java
+++ b/src/main/java/io/papermc/hangar/controller/UsersController.java
@@ -8,11 +8,13 @@ import io.papermc.hangar.db.model.NotificationsTable;
 import io.papermc.hangar.db.model.OrganizationsTable;
 import io.papermc.hangar.db.model.UsersTable;
 import io.papermc.hangar.model.InviteFilter;
+import io.papermc.hangar.model.NamedPermission;
 import io.papermc.hangar.model.NotificationFilter;
 import io.papermc.hangar.model.Prompt;
 import io.papermc.hangar.model.viewhelpers.InviteSubject;
 import io.papermc.hangar.model.viewhelpers.UserData;
 import io.papermc.hangar.model.viewhelpers.UserRole;
+import io.papermc.hangar.security.annotations.GlobalPermission;
 import io.papermc.hangar.service.ApiKeyService;
 import io.papermc.hangar.service.AuthenticationService;
 import io.papermc.hangar.service.NotificationService;
@@ -21,6 +23,7 @@ import io.papermc.hangar.service.PermissionService;
 import io.papermc.hangar.service.RoleService;
 import io.papermc.hangar.service.SitemapService;
 import io.papermc.hangar.service.SsoService;
+import io.papermc.hangar.service.SsoService.SignatureException;
 import io.papermc.hangar.service.UserActionLogService;
 import io.papermc.hangar.service.UserService;
 import io.papermc.hangar.service.sso.AuthUser;
@@ -44,7 +47,6 @@ import org.springframework.web.bind.annotation.ResponseStatus;
 import org.springframework.web.server.ResponseStatusException;
 import org.springframework.web.servlet.ModelAndView;
 import org.springframework.web.servlet.mvc.support.RedirectAttributes;
-import org.springframework.web.servlet.view.RedirectView;
 
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
@@ -240,12 +242,27 @@ public class UsersController extends HangarController {
         return fillModel(mav);
     }
 
+    @GlobalPermission(NamedPermission.EDIT_OWN_USER_SETTINGS)
     @Secured("ROLE_USER")
-    @PostMapping("/{user}/settings/lock/{locked}")
-    public RedirectView setLocked(@PathVariable String user, @PathVariable boolean locked, @RequestParam String sso, @RequestParam String sig) {
-        // TODO auth
-        userService.setLocked(user, locked);
-        return new RedirectView(Routes.getRouteUrlOf("users.showProjects", user));
+    @GetMapping("/{user}/settings/lock/{locked}")
+    public ModelAndView setLocked(@PathVariable String user, @PathVariable boolean locked, @RequestParam(required = false) String sso, @RequestParam(required = false) String sig) {
+        UsersTable curUser = getCurrentUser();
+        if (!hangarConfig.fakeUser.isEnabled()) {
+            try {
+                AuthUser authUser = ssoService.authenticate(sso, sig);
+                if (authUser == null || authUser.getId() != curUser.getId()) {
+                    throw new ResponseStatusException(HttpStatus.UNAUTHORIZED);
+                }
+            } catch (SignatureException e) {
+                throw new ResponseStatusException(HttpStatus.UNAUTHORIZED);
+            }
+        }
+
+        if (!locked) {
+            // TODO email!
+        }
+        userService.setLocked(curUser, locked);
+        return Routes.USERS_SHOW_PROJECTS.getRedirect(user);
     }
 
     @Secured("ROLE_USER")
diff --git a/src/main/java/io/papermc/hangar/service/UserService.java b/src/main/java/io/papermc/hangar/service/UserService.java
index c81966e30..96e832c2f 100644
--- a/src/main/java/io/papermc/hangar/service/UserService.java
+++ b/src/main/java/io/papermc/hangar/service/UserService.java
@@ -156,8 +156,7 @@ public class UserService extends HangarService {
         }
     }
 
-    public void setLocked(String userName, boolean locked) {
-        UsersTable user = userDao.get().getByName(userName);
+    public void setLocked(UsersTable user, boolean locked) {
         user.setIsLocked(locked);
         userDao.get().update(user);
     }
diff --git a/src/main/resources/templates/users/view.ftlh b/src/main/resources/templates/users/view.ftlh
index 6ccccfecb..3bb441cdd 100644
--- a/src/main/resources/templates/users/view.ftlh
+++ b/src/main/resources/templates/users/view.ftlh
@@ -75,7 +75,7 @@
 
                                 <span data-toggle="modal" data-target="#modal-lock">
                                     <i class="fas <#if u.user.isLocked()>fa-lock<#else>fa-unlock-alt</#if> action-lock-account" data-toggle="tooltip"
-                                    data-placement="top" title="<@spring.message "user.lock" />"></i>
+                                    data-placement="top" title="<#if !u.user.isLocked()><@spring.message "user.lock" /><#else><@spring.message "user.unlock" /></#if>"></i>
                                 </span>
 
                                 <a class="action-api" href="${Routes.USERS_EDIT_API_KEYS.getRouteUrl(u.user.name)}">