diff --git a/account.php b/account.php
index a9ad13f..7d026ee 100644
--- a/account.php
+++ b/account.php
@@ -1,10 +1,6 @@
 <?php
 
-ini_set('display_errors', 1);
-ini_set('display_startup_errors', 1);
-error_reporting(E_ALL);
-
-session_start();
+require_once __DIR__ . '/lib/bootstrap.php';
 
 if (empty($_SESSION['user_id']))
 {
@@ -123,9 +119,11 @@ include 'header.php';
                     Schnellaktionen
                 </h2>
                 <div class="account__quick-actions">
+                    <?php if (!empty($_SESSION['user_roles']) && in_array('ADMIN', $_SESSION['user_roles'], true)): ?>
                     <a href="productAdder.php" class="auth__submit account__action-link">
                         Produkt hinzufügen
                     </a>
+                    <?php endif; ?>
                     <a href="wunschliste.php" class="auth__submit account__action-link account__action-link--secondary">
                         Meine Wunschliste
                     </a>
diff --git a/lib/bootstrap.php b/lib/bootstrap.php
index 2fa0303..ec4d41a 100644
--- a/lib/bootstrap.php
+++ b/lib/bootstrap.php
@@ -2,6 +2,7 @@
 // Zentraler Bootstrap: muss vor jeglicher HTML-Ausgabe inkludiert werden.
 // - startet die Session genau einmal
 // - setzt sinnvolle PHP-Error-Settings für die Entwicklung
+// - lädt die Rollen des eingeloggten Users bei jedem Request
 
 ini_set('display_errors', '1');
 ini_set('display_startup_errors', '1');
@@ -10,3 +11,28 @@ error_reporting(E_ALL);
 if (session_status() !== PHP_SESSION_ACTIVE) {
     session_start();
 }
+
+// Rollen bei jedem Request aus der DB aktualisieren
+if (!empty($_SESSION['user_id'])) {
+    $__bsConn = new mysqli('localhost', 'FSST', 'L9wUNZZ9Qkbt', 'FSST', 3306);
+    if (!$__bsConn->connect_error) {
+        $__bsStmt = $__bsConn->prepare(
+            'SELECT r.name FROM userRoles ur JOIN roles r ON r.roleID = ur.roleID WHERE ur.userID = ?'
+        );
+        if ($__bsStmt) {
+            $__bsUid = (int)$_SESSION['user_id'];
+            $__bsStmt->bind_param('i', $__bsUid);
+            $__bsStmt->execute();
+            $__bsResult = $__bsStmt->get_result();
+            $_SESSION['user_roles'] = [];
+            while ($__bsRow = $__bsResult->fetch_assoc()) {
+                $_SESSION['user_roles'][] = $__bsRow['name'];
+            }
+            $__bsStmt->close();
+        }
+        $__bsConn->close();
+    }
+} else {
+    $_SESSION['user_roles'] = [];
+}
+
diff --git a/login.php b/login.php
index 3989958..92709bf 100644
--- a/login.php
+++ b/login.php
@@ -1,11 +1,7 @@
 <?php
 // login.php
 
-ini_set('display_errors', 1);
-ini_set('display_startup_errors', 1);
-error_reporting(E_ALL);
-
-session_start();
+require_once __DIR__ . '/lib/bootstrap.php';
 
 // 1) DB-Verbindung (einmal)
 $servername = "localhost";
diff --git a/logout.php b/logout.php
index f2cf5bb..8bd705a 100644
--- a/logout.php
+++ b/logout.php
@@ -1,5 +1,5 @@
 <?php
-session_start();
+require_once __DIR__ . '/lib/bootstrap.php';
 
 /* Alle Session-Variablen löschen */
 $_SESSION = [];
diff --git a/productAdder.php b/productAdder.php
index b6f9e7b..0edea3b 100644
--- a/productAdder.php
+++ b/productAdder.php
@@ -1,10 +1,21 @@
 <?php
 // product_add.php
 
-ini_set('display_errors', 1);
-error_reporting(E_ALL);
+require_once __DIR__ . '/lib/bootstrap.php';
 
-session_start();
+/* =======================
+   0) Zugriffskontrolle – nur ADMIN
+   ======================= */
+if (empty($_SESSION['user_id']) || empty($_SESSION['user_roles']) || !in_array('ADMIN', $_SESSION['user_roles'], true)) {
+    http_response_code(403);
+    include 'header.php';
+    echo '<main class="auth"><section class="auth__grid"><div class="auth__card">';
+    echo '<h2 class="auth__title">Zugriff verweigert</h2>';
+    echo '<p>Du hast keine Berechtigung, Produkte hinzuzufügen.</p>';
+    echo '</div></section></main>';
+    include 'footer.php';
+    exit;
+}
 
 /* =======================
    1) Kategorie aus GET
diff --git a/productpage.php b/productpage.php
index d11d2d0..00cf361 100644
--- a/productpage.php
+++ b/productpage.php
@@ -1,11 +1,7 @@
 <?php
 // productpage.php
 
-ini_set('display_errors', 1);
-ini_set('display_startup_errors', 1);
-error_reporting(E_ALL);
-
-session_start();
+require_once __DIR__ . '/lib/bootstrap.php';
 
 // 1) DB-Verbindung (einmal)
 $servername = "localhost";
diff --git a/register.php b/register.php
index 001dafe..f2038a0 100644
--- a/register.php
+++ b/register.php
@@ -1,11 +1,7 @@
 <?php
 // register.php
 
-ini_set('display_errors', 1);
-ini_set('display_startup_errors', 1);
-error_reporting(E_ALL);
-
-session_start();
+require_once __DIR__ . '/lib/bootstrap.php';
 
 require_once __DIR__ . '/lib/strings.php';
 
diff --git a/upload.php b/upload.php
index ab33f56..3e745d9 100644
--- a/upload.php
+++ b/upload.php
@@ -1,11 +1,6 @@
 <?php
 
-// Produktion: keine PHP-Fehler im Browser ausgeben (Logs bleiben serverseitig)
-ini_set('display_errors', 0);
-ini_set('display_startup_errors', 0);
-error_reporting(E_ALL);
-
-session_start();
+require_once __DIR__ . '/lib/bootstrap.php';
 
 if (empty($_SESSION['user_id']))
 {
diff --git a/wunschliste.php b/wunschliste.php
index 48422b0..964b9cf 100644
--- a/wunschliste.php
+++ b/wunschliste.php
@@ -1,11 +1,7 @@
 <?php
 // wunschliste.php
 
-ini_set('display_errors', 1);
-ini_set('display_startup_errors', 1);
-error_reporting(E_ALL);
-
-session_start();
+require_once __DIR__ . '/lib/bootstrap.php';
 
 // 1) DB-Verbindung (einmal)
 $servername = "localhost";