diff --git a/src/main/java/org/caosdb/server/resource/Webinterface.java b/src/main/java/org/caosdb/server/resource/Webinterface.java
index adba714a96e5bbb4bc3ea13b8d72ec69a88cb33b..95901260937a5364a68ed3e9e6849210bd67d6b3 100644
--- a/src/main/java/org/caosdb/server/resource/Webinterface.java
+++ b/src/main/java/org/caosdb/server/resource/Webinterface.java
@@ -81,7 +81,9 @@ public class Webinterface extends ServerResource {
                             ? MediaType.IMAGE_PNG
                             : path.endsWith(".html")
                                 ? MediaType.TEXT_HTML
-                                : path.endsWith(".yaml") ? MediaType.TEXT_YAML : MediaType.TEXT_XML;
+                                : path.endsWith(".yaml")
+                                    ? MediaType.TEXT_YAML
+                                    : path.endsWith(".xml") ? MediaType.TEXT_XML : MediaType.ALL;
 
     final FileRepresentation ret = new FileRepresentation(file, mt);
 
diff --git a/src/main/java/org/caosdb/server/transaction/ListUsersTransaction.java b/src/main/java/org/caosdb/server/transaction/ListUsersTransaction.java
index 439f3b3a2d373d2e1eb07dcc94eff29034e1cdcf..2ade4e8595f159d1fc6996c1e04913f4195ecd97 100644
--- a/src/main/java/org/caosdb/server/transaction/ListUsersTransaction.java
+++ b/src/main/java/org/caosdb/server/transaction/ListUsersTransaction.java
@@ -48,11 +48,12 @@ public class ListUsersTransaction extends AccessControlTransaction {
 
     // remove roles
     for (ProtoUser user : users) {
-      if (user.roles != null)
+      if (user.roles != null) {
         if (!currentUser.isPermitted(
             ACMPermissions.PERMISSION_RETRIEVE_USER_ROLES(user.realm, user.name))) {
           user.roles = null;
         }
+      }
     }
   }
 
diff --git a/src/main/java/org/caosdb/server/transaction/RetrieveUserTransaction.java b/src/main/java/org/caosdb/server/transaction/RetrieveUserTransaction.java
index 55e4bf85032926fd9db932a5910c6eb01063bd62..4847c4b3e9b87367cd707b81f68de2d60798a146 100644
--- a/src/main/java/org/caosdb/server/transaction/RetrieveUserTransaction.java
+++ b/src/main/java/org/caosdb/server/transaction/RetrieveUserTransaction.java
@@ -24,6 +24,9 @@
 package org.caosdb.server.transaction;
 
 import java.util.Set;
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.subject.Subject;
+import org.caosdb.server.accessControl.ACMPermissions;
 import org.caosdb.server.accessControl.Principal;
 import org.caosdb.server.accessControl.UserSources;
 import org.caosdb.server.database.backend.transaction.RetrieveUser;
@@ -42,10 +45,21 @@ public class RetrieveUserTransaction extends AccessControlTransaction {
 
   @Override
   protected void transaction() throws Exception {
-    if (!UserSources.isUserExisting(this.principal)) {
+    Subject currentUser = SecurityUtils.getSubject();
+    if (!UserSources.isUserExisting(this.principal)
+        || !currentUser.isPermitted(
+            ACMPermissions.PERMISSION_RETRIEVE_USER_INFO(
+                this.principal.getRealm(), this.principal.getUsername()))) {
       throw ServerMessages.ACCOUNT_DOES_NOT_EXIST;
     }
     this.user = execute(new RetrieveUser(this.principal), getAccess()).getUser();
+
+    if (user.roles != null) {
+      if (!currentUser.isPermitted(
+          ACMPermissions.PERMISSION_RETRIEVE_USER_ROLES(user.realm, user.name))) {
+        user.roles = null;
+      }
+    }
   }
 
   public static Element getUserElement(final ProtoUser user) {