diff --git a/test/mv_web/authorization_test.exs b/test/mv_web/authorization_test.exs
index 17bbe4b..d07e482 100644
--- a/test/mv_web/authorization_test.exs
+++ b/test/mv_web/authorization_test.exs
@@ -183,6 +183,39 @@ defmodule MvWeb.AuthorizationTest do
       assert Authorization.can_access_page?(read_only_user, "/members/123/edit") == false
     end
 
+    test "read_only can access own profile /users/:id only" do
+      read_only_user = %{
+        id: "read-only-123",
+        role: %{permission_set_name: "read_only"}
+      }
+
+      assert Authorization.can_access_page?(read_only_user, "/users/read-only-123") == true
+      assert Authorization.can_access_page?(read_only_user, "/users/read-only-123/edit") == true
+      assert Authorization.can_access_page?(read_only_user, "/users/other-id") == false
+      assert Authorization.can_access_page?(read_only_user, "/users/other-id/edit") == false
+    end
+
+    test "normal_user can access own profile /users/:id only" do
+      normal_user = %{
+        id: "normal-456",
+        role: %{permission_set_name: "normal_user"}
+      }
+
+      assert Authorization.can_access_page?(normal_user, "/users/normal-456") == true
+      assert Authorization.can_access_page?(normal_user, "/users/normal-456/edit") == true
+      assert Authorization.can_access_page?(normal_user, "/users/other-id") == false
+    end
+
+    test "reserved segment 'new' is not matched by :id" do
+      read_only_user = %{
+        id: "read-only-123",
+        role: %{permission_set_name: "read_only"}
+      }
+
+      assert Authorization.can_access_page?(read_only_user, "/members/new") == false
+      assert Authorization.can_access_page?(read_only_user, "/groups/new") == false
+    end
+
     test "returns false for nil user" do
       assert Authorization.can_access_page?(nil, "/members") == false
       assert Authorization.can_access_page?(nil, "/admin/roles") == false
diff --git a/test/mv_web/plugs/check_page_permission_test.exs b/test/mv_web/plugs/check_page_permission_test.exs
index 71d625f..4b2217c 100644
--- a/test/mv_web/plugs/check_page_permission_test.exs
+++ b/test/mv_web/plugs/check_page_permission_test.exs
@@ -292,7 +292,14 @@ defmodule MvWeb.Plugs.CheckPagePermissionTest do
     setup %{conn: conn, current_user: current_user} do
       member = Mv.Fixtures.member_fixture()
       role = Mv.Fixtures.role_fixture("admin")
-      {:ok, conn: conn, current_user: current_user, member_id: member.id, role_id: role.id}
+      group = Mv.Fixtures.group_fixture()
+
+      {:ok,
+       conn: conn,
+       current_user: current_user,
+       member_id: member.id,
+       role_id: role.id,
+       group_slug: group.slug}
     end
 
     @tag role: :member
@@ -364,11 +371,12 @@ defmodule MvWeb.Plugs.CheckPagePermissionTest do
     end
 
     @tag role: :member
-    test "GET /groups/:slug redirects to user profile", %{conn: conn, current_user: user} do
-      group = Mv.Membership.Group |> Ash.Query.limit(1) |> Ash.read!() |> List.first()
-
-      if group,
-        do: assert(redirected_to(get(conn, "/groups/#{group.slug}")) == "/users/#{user.id}")
+    test "GET /groups/:slug redirects to user profile", %{
+      conn: conn,
+      current_user: user,
+      group_slug: slug
+    } do
+      assert redirected_to(get(conn, "/groups/#{slug}")) == "/users/#{user.id}"
     end
 
     @tag role: :member
@@ -543,6 +551,27 @@ defmodule MvWeb.Plugs.CheckPagePermissionTest do
       conn = get(conn, "/groups/#{slug}")
       assert conn.status == 200
     end
+
+    @tag role: :read_only
+    test "GET /users/:id (own profile) returns 200", %{conn: conn, current_user: user} do
+      conn = get(conn, "/users/#{user.id}")
+      assert conn.status == 200
+    end
+
+    @tag role: :read_only
+    test "GET /users/:id/edit (own profile edit) returns 200", %{conn: conn, current_user: user} do
+      conn = get(conn, "/users/#{user.id}/edit")
+      assert conn.status == 200
+    end
+
+    @tag role: :read_only
+    test "GET /users/:id/show/edit (own profile show edit) returns 200", %{
+      conn: conn,
+      current_user: user
+    } do
+      conn = get(conn, "/users/#{user.id}/show/edit")
+      assert conn.status == 200
+    end
   end
 
   describe "integration: read_only denied paths via full router" do
@@ -594,6 +623,17 @@ defmodule MvWeb.Plugs.CheckPagePermissionTest do
       assert redirected_to(conn) == "/users/#{user.id}"
     end
 
+    @tag role: :read_only
+    test "GET /users/:id (other user) redirects to user profile", %{
+      conn: conn,
+      current_user: user,
+      role_id: _role_id
+    } do
+      other_user = Mv.Fixtures.user_with_role_fixture("admin")
+      conn = get(conn, "/users/#{other_user.id}")
+      assert redirected_to(conn) == "/users/#{user.id}"
+    end
+
     @tag role: :read_only
     test "GET /settings redirects to user profile", %{conn: conn, current_user: user} do
       conn = get(conn, "/settings")
@@ -701,6 +741,33 @@ defmodule MvWeb.Plugs.CheckPagePermissionTest do
       conn = get(conn, "/groups/#{slug}")
       assert conn.status == 200
     end
+
+    @tag role: :normal_user
+    test "GET /members/:id/show/edit returns 200", %{conn: conn, member_id: id} do
+      conn = get(conn, "/members/#{id}/show/edit")
+      assert conn.status == 200
+    end
+
+    @tag role: :normal_user
+    test "GET /users/:id (own profile) returns 200", %{conn: conn, current_user: user} do
+      conn = get(conn, "/users/#{user.id}")
+      assert conn.status == 200
+    end
+
+    @tag role: :normal_user
+    test "GET /users/:id/edit (own profile edit) returns 200", %{conn: conn, current_user: user} do
+      conn = get(conn, "/users/#{user.id}/edit")
+      assert conn.status == 200
+    end
+
+    @tag role: :normal_user
+    test "GET /users/:id/show/edit (own profile show edit) returns 200", %{
+      conn: conn,
+      current_user: user
+    } do
+      conn = get(conn, "/users/#{user.id}/show/edit")
+      assert conn.status == 200
+    end
   end
 
   describe "integration: normal_user denied paths via full router" do