diff --git a/internal/api/room/control.go b/internal/api/room/control.go
index 659b87ba..cf474ee8 100644
--- a/internal/api/room/control.go
+++ b/internal/api/room/control.go
@@ -41,6 +41,11 @@ func (h *RoomHandler) controlRequest(w http.ResponseWriter, r *http.Request) {
 	}
 
 	session := auth.GetSession(r)
+	if !session.CanHost() {
+		utils.HttpBadRequest(w, "Member is not allowed to host.")
+		return
+	}
+
 	h.sessions.SetHost(session)
 
 	h.sessions.Broadcast(
@@ -56,7 +61,12 @@ func (h *RoomHandler) controlRequest(w http.ResponseWriter, r *http.Request) {
 func (h *RoomHandler) controlRelease(w http.ResponseWriter, r *http.Request) {
 	session := auth.GetSession(r)
 	if !session.IsHost() {
-		utils.HttpUnprocessableEntity(w, "User is not the host.")
+		utils.HttpUnprocessableEntity(w, "Member is not the host.")
+		return
+	}
+
+	if !session.CanHost() {
+		utils.HttpBadRequest(w, "Member is not allowed to host.")
 		return
 	}
 
@@ -74,6 +84,10 @@ func (h *RoomHandler) controlRelease(w http.ResponseWriter, r *http.Request) {
 
 func (h *RoomHandler) controlTake(w http.ResponseWriter, r *http.Request) {
 	session := auth.GetSession(r)
+	if !session.CanHost() {
+		utils.HttpBadRequest(w, "Member is not allowed to host.")
+		return
+	}
 
 	h.sessions.SetHost(session)
 
@@ -95,7 +109,12 @@ func (h *RoomHandler) controlGive(w http.ResponseWriter, r *http.Request) {
 
 	target, ok := h.sessions.Get(data.ID)
 	if !ok {
-		utils.HttpBadRequest(w, "Target user was not found.")
+		utils.HttpBadRequest(w, "Target member was not found.")
+		return
+	}
+
+	if !target.CanHost() {
+		utils.HttpBadRequest(w, "Target member is not allowed to host.")
 		return
 	}
 
diff --git a/internal/session/manager.go b/internal/session/manager.go
index 382f5cc2..67d90a0d 100644
--- a/internal/session/manager.go
+++ b/internal/session/manager.go
@@ -68,7 +68,7 @@ func (manager *SessionManagerCtx) Connect() error {
 		_ = manager.add(id, profile)
 	}
 
-	// TODO: Move to Database, or make `admin` as reserved user.
+	// TODO: Move to Database, or make `admin` as reserved ID.
 
 	// create default admin account at startup
 	_ = manager.add("admin", types.MemberProfile{
diff --git a/internal/websocket/handler/control.go b/internal/websocket/handler/control.go
index 6428311e..69697c02 100644
--- a/internal/websocket/handler/control.go
+++ b/internal/websocket/handler/control.go
@@ -7,6 +7,11 @@ import (
 )
 
 func (h *MessageHandlerCtx) controlRelease(session types.Session) error {
+	if !session.CanHost() {
+		h.logger.Debug().Str("id", session.ID()).Msg("is not allowed to host")
+		return nil
+	}
+
 	if !session.IsHost() {
 		h.logger.Debug().Str("id", session.ID()).Msg("is not the host")
 		return nil
@@ -25,6 +30,11 @@ func (h *MessageHandlerCtx) controlRelease(session types.Session) error {
 }
 
 func (h *MessageHandlerCtx) controlRequest(session types.Session) error {
+	if !session.CanHost() {
+		h.logger.Debug().Str("id", session.ID()).Msg("is not allowed to host")
+		return nil
+	}
+
 	if session.IsHost() {
 		h.logger.Debug().Str("id", session.ID()).Msg("is already the host")
 		return nil