diff --git a/tests/frontend/api/test_mpsk.py b/tests/frontend/api/test_mpsk.py
index 725f6d15a..77da250b0 100644
--- a/tests/frontend/api/test_mpsk.py
+++ b/tests/frontend/api/test_mpsk.py
@@ -37,6 +37,11 @@ def test_invalid_password(self, client, auth_header, url, session, user):
         session.refresh(user)
         assert len(user.mpsk_clients) == 0
 
+    def test_not_a_member(self, client, auth_header, url_non_member, session, user_non_member):
+        client.assert_url_response_code(
+            url_non_member, code=412, headers=auth_header, method="POST", data=self.VALID_DATA
+        )
+
     @pytest.mark.parametrize("name", ("", "     ", " ", "   ", "  "))
     def test_invalid_name(self, client, auth_header, url, session, user, name):
         self.INVALID_name["name"] = name
@@ -63,6 +68,10 @@ def test_bad_data(self, client, auth_header, url, data):
     def url(self, user) -> str:
         return f"api/v0/user/{user.id}/add-mpsk"
 
+    @pytest.fixture(scope="module")
+    def url_non_member(self, user_non_member) -> str:
+        return f"api/v0/user/{user_non_member.id}/add-mpsk"
+
     def test_add_mpsk_needs_wifi_hash(self, client, auth_header, user_without_wifi_pw):
         client.assert_url_response_code(
             f"api/v0/user/{user_without_wifi_pw.id}/add-mpsk",
@@ -168,6 +177,10 @@ class TestEditMPSK:
     def url(self, user) -> str:
         return f"api/v0/user/{user.id}/change-mpsk/"
 
+    @pytest.fixture(scope="module")
+    def url_non_member(self, user_non_member2) -> str:
+        return f"api/v0/user/{user_non_member2.id}/change-mpsk/"
+
     @pytest.mark.parametrize(
         "data",
         (
@@ -183,6 +196,17 @@ def test_unfound_change(self, client, auth_header, url, data, session):
             url + "0", code=404, headers=auth_header, method="POST", data=self.VALID_DATA
         )
 
+    def test_edit_as_non_user(self, client, auth_header, session, user_non_member2, url_non_member):
+        mpsk = self.get_mpsk(user_non_member2, session, mac="00:de:ad:be:ef:02")
+
+        client.assert_url_response_code(
+            url_non_member + str(mpsk.id),
+            code=412,
+            headers=auth_header,
+            method="POST",
+            data=self.VALID_DATA,
+        )
+
     def get_mpsk(self, user, session, mac="00:de:ad:be:ef:00") -> MPSKClient:
         client = mpsk_client_create(session, owner=user, mac=mac, name="Fancy TV", processor=user)
         session.flush()
@@ -242,15 +266,40 @@ def test_invalid_mac(self, client, auth_header, url, session, user, data):
 
 
 @pytest.fixture(scope="module")
-def user(module_session) -> User:
+def user(module_session, config) -> User:
+    return f.UserFactory(
+        with_membership=True, membership__group=config.member_group, membership__includes_today=True
+    )
+
+
+@pytest.fixture(scope="module")
+def user_non_member(module_session) -> User:
     return f.UserFactory()
 
 
+@pytest.fixture(scope="module")
+def user_non_member2(module_session) -> User:
+    return f.UserFactory()
+
 @pytest.fixture
-def user_without_wifi_pw(module_session) -> User:
-    return f.UserFactory(wifi_passwd_hash=None)
+def user_without_wifi_pw(module_session, config) -> User:
+    user = f.UserFactory(
+        wifi_passwd_hash=None,
+        with_membership=True,
+        membership__group=config.member_group,
+        membership__includes_today=True,
+    )
+    module_session.flush()
+    return user
 
 
 @pytest.fixture
-def user_with_encrypted_wifi(module_session) -> User:
-    return f.UserFactory(wifi_passwd_hash="{somecryptprefix}garbledpasswordhash")
+def user_with_encrypted_wifi(module_session, config) -> User:
+    user = f.UserFactory(
+        wifi_passwd_hash="{somecryptprefix}garbledpasswordhash",
+        with_membership=True,
+        membership__group=config.member_group,
+        membership__includes_today=True,
+    )
+    module_session.flush()
+    return user
diff --git a/web/api/v0/__init__.py b/web/api/v0/__init__.py
index 53edfdd0d..6a84a8250 100644
--- a/web/api/v0/__init__.py
+++ b/web/api/v0/__init__.py
@@ -385,6 +385,9 @@ def post(self, user_id: int, password: str, mac: str, name: str) -> ResponseRetu
         if not user.wifi_password:
             abort(412, message="Please generate a wifi password first")
 
+        if not user.has_property("network_access"):
+            abort(412, message="User has to have network access.")
+
         try:
             mpsk_client = mpsk_client_create(
                 session.session, owner=user, mac=mac, name=name, processor=user
@@ -444,6 +447,10 @@ def post(
         self, user_id: int, mpsk_id: int, password: str, mac: str, name: str
     ) -> ResponseReturnValue:
         user = get_authenticated_user(user_id, password)
+
+        if not user.has_property("network_access"):
+            abort(412, message="User has to have network access.")
+
         mpsk = get_mpsk_client_or_404(mpsk_id)
 
         if user != mpsk.owner: