diff --git a/app/Http/Controllers/UserController.php b/app/Http/Controllers/UserController.php
index 790b132..1f5671b 100644
--- a/app/Http/Controllers/UserController.php
+++ b/app/Http/Controllers/UserController.php
@@ -4,6 +4,7 @@ namespace App\Http\Controllers;
 
 use App\Models\User;
 use Illuminate\Http\Request;
+use function abort;
 use function redirect;
 
 class UserController extends Controller
@@ -66,6 +67,8 @@ class UserController extends Controller
 
     public function set_school(Request $request, User $user)
     {
+        if ($request->user()->cannot('set_school',$user)) abort(403);
+
         request()->validate([
            'school_id' => ['required','integer','exists:schools,id']
         ]);
diff --git a/app/Policies/SchoolPolicy.php b/app/Policies/SchoolPolicy.php
index 71619b1..690671a 100644
--- a/app/Policies/SchoolPolicy.php
+++ b/app/Policies/SchoolPolicy.php
@@ -10,7 +10,7 @@ use function is_null;
 class SchoolPolicy
 {
     /**
-     * Grand admin users access to all functions
+     * Grant admin users access to all functions
      */
     public function before(User $user, string $ability): bool|null
     {
diff --git a/app/Policies/UserPolicy.php b/app/Policies/UserPolicy.php
new file mode 100644
index 0000000..ac85dfd
--- /dev/null
+++ b/app/Policies/UserPolicy.php
@@ -0,0 +1,79 @@
+<?php
+
+namespace App\Policies;
+
+use App\Models\User;
+use Illuminate\Auth\Access\Response;
+
+class UserPolicy
+{
+    /**
+     * Grant admin users access to all functions
+     */
+    public function before(User $user, string $ability): bool|null
+    {
+        if($user->is_admin) return true;
+        return null;
+    }
+    /**
+     * Determine whether the user can view any models.
+     */
+    public function viewAny(User $user): bool
+    {
+        //
+    }
+
+    /**
+     * Determine whether the user can view the model.
+     */
+    public function view(User $user, User $model): bool
+    {
+        //
+    }
+
+    /**
+     * Determine whether the user can create models.
+     */
+    public function create(User $user): bool
+    {
+        //
+    }
+
+    /**
+     * Determine whether the user can update the model.
+     */
+    public function update(User $user, User $model): bool
+    {
+        //
+    }
+
+    /**
+     * Determine whether the user can delete the model.
+     */
+    public function delete(User $user, User $model): bool
+    {
+        //
+    }
+
+    /**
+     * Determine whether the user can restore the model.
+     */
+    public function restore(User $user, User $model): bool
+    {
+        //
+    }
+
+    /**
+     * Determine whether the user can permanently delete the model.
+     */
+    public function forceDelete(User $user, User $model): bool
+    {
+        //
+    }
+
+    public function set_school(User $user, User $model): bool
+    {
+        if($user->school_id) return false;
+        return $user->id == $model->id;
+    }
+}
diff --git a/resources/views/test.blade.php b/resources/views/test.blade.php
index c22cbed..755cea8 100644
--- a/resources/views/test.blade.php
+++ b/resources/views/test.blade.php
@@ -1,13 +1,13 @@
 @php use App\Models\School;use App\Models\SchoolEmailDomain;use App\Models\User;use Illuminate\Support\Facades\Auth; @endphp
 <x-layout.app>
     <x-slot:page_title>Test Page</x-slot:page_title>
-    @php
-        $x = SchoolEmailDomain::with('school')->where('domain','=',Auth::user()->emailDomain())->get();
-        foreach ($x as $y)
-            {
-                echo "<p>" . $y->school->name . "</p>";
-            }
-    @endphp
+
+    <form method="POST" action="/users/32/set_school">
+        @csrf
+        @method('PATCH')
+        <input type="text" name="school_id" value="1">
+        <button>Submit</button>
+    </form>
 
 
 </x-layout.app>