diff --git a/routes/deleteRoutes.js b/routes/deleteRoutes.js
index ebba7fd..bce2ff9 100644
--- a/routes/deleteRoutes.js
+++ b/routes/deleteRoutes.js
@@ -24,7 +24,7 @@ function forceCompanyForAdmin(req, res, next) {
 }
 
 // DELETE /admin/user/:id (moved from routes/admin.js)
-router.delete('/admin/user/:id', authMiddleware, AdminUserController.deleteUser);
+router.delete('/admin/user/:id', authMiddleware, adminOnly, AdminUserController.deleteUser);
 
 // DELETE /document-templates/:id (moved from routes/documentTemplates.js)
 router.delete('/document-templates/:id', authMiddleware, DocumentTemplateController.deleteTemplate);
diff --git a/routes/getRoutes.js b/routes/getRoutes.js
index 2d18c6b..faee98e 100644
--- a/routes/getRoutes.js
+++ b/routes/getRoutes.js
@@ -54,7 +54,7 @@ router.get('/user/status-progress', authMiddleware, UserStatusController.getStat
 router.get('/users/:id/full', authMiddleware, UserController.getFullUserData);
 router.get('/user/settings', authMiddleware, UserSettingsController.getSettings);
 router.get('/users/:id/permissions', authMiddleware, PermissionController.getUserPermissions);
-router.get('/admin/users/:id/full', authMiddleware, AdminUserController.getFullUserAccountDetails);
+router.get('/admin/users/:id/full', authMiddleware, adminOnly, AdminUserController.getFullUserAccountDetails);
 router.get('/admin/users/:id/detailed', authMiddleware, requireAdmin, AdminUserController.getDetailedUserInfo);
 router.get('/users/:id/documents', authMiddleware, UserController.getUserDocumentsAndContracts);
 router.get('/verify-password-reset', (req, res) => { /* Note: was moved from PasswordResetController.verifyPasswordResetToken */ res.status(204).end(); }); // keep placeholder if controller already registered via other verb
diff --git a/routes/postRoutes.js b/routes/postRoutes.js
index c37290b..3cc7f96 100644
--- a/routes/postRoutes.js
+++ b/routes/postRoutes.js
@@ -73,8 +73,8 @@ router.post('/profile/personal/complete', authMiddleware, PersonalProfileControl
 router.post('/profile/company/complete', authMiddleware, CompanyProfileController.completeProfile);
 
 // Admin POSTs (moved from routes/admin.js)
-router.post('/admin/verify-user/:id', authMiddleware, AdminUserController.verifyUser);
-router.post('/admin/send-password-reset/:userId', authMiddleware, async (req, res) => {
+router.post('/admin/verify-user/:id', authMiddleware, adminOnly, AdminUserController.verifyUser);
+router.post('/admin/send-password-reset/:userId', authMiddleware, adminOnly, async (req, res) => {
   const userId = req.params.userId;
   // require here to avoid circular/top-level ordering issues
   const UnitOfWork = require('../database/UnitOfWork');
diff --git a/routes/putRoutes.js b/routes/putRoutes.js
index 3142928..c25b4d6 100644
--- a/routes/putRoutes.js
+++ b/routes/putRoutes.js
@@ -17,7 +17,7 @@ function adminOnly(req, res, next) {
 }
 
 // PUT /admin/users/:id/permissions (moved from routes/admin.js)
-router.put('/admin/users/:id/permissions', authMiddleware, AdminUserController.updateUserPermissions);
+router.put('/admin/users/:id/permissions', authMiddleware, adminOnly, AdminUserController.updateUserPermissions);
 
 // PUT /document-templates/:id (moved from routes/documentTemplates.js)
 router.put('/document-templates/:id', authMiddleware, upload.single('file'), DocumentTemplateController.updateTemplate);