diff --git a/app/blueprints/users/settings.py b/app/blueprints/users/settings.py
index 7dccf83..884020f 100644
--- a/app/blueprints/users/settings.py
+++ b/app/blueprints/users/settings.py
@@ -159,6 +159,9 @@ def email_notifications(username=None):
 	if not user:
 		abort(404)
 
+	if not user.checkPerm(current_user, Permission.CHANGE_EMAIL):
+		abort(403)
+
 	is_new = False
 	prefs = user.notification_preferences
 	if prefs is None: