diff --git a/src/main/kotlin/com/android/trisolarisserver/controller/IssuedCards.kt b/src/main/kotlin/com/android/trisolarisserver/controller/IssuedCards.kt
index db0e430..d6dacf2 100644
--- a/src/main/kotlin/com/android/trisolarisserver/controller/IssuedCards.kt
+++ b/src/main/kotlin/com/android/trisolarisserver/controller/IssuedCards.kt
@@ -157,9 +157,9 @@ class IssuedCards(
         @PathVariable cardIndex: Int,
         @AuthenticationPrincipal principal: MyPrincipal?
     ): CardRevokeResponse {
-        requireRevokeActor(propertyId, principal)
         val card = issuedCardRepo.findByPropertyIdAndCardIndex(propertyId, cardIndex)
             ?: throw ResponseStatusException(HttpStatus.NOT_FOUND, "Card not found")
+        requireRevokeActor(propertyId, principal, card.roomStay == null)
         if (card.revokedAt == null) {
             val now = nowForProperty(card.property.timezone)
             card.revokedAt = now
@@ -231,12 +231,16 @@ class IssuedCards(
         }
     }
 
-    private fun requireRevokeActor(propertyId: UUID, principal: MyPrincipal?) {
+    private fun requireRevokeActor(propertyId: UUID, principal: MyPrincipal?, isTempCard: Boolean) {
         if (principal == null) {
             throw ResponseStatusException(HttpStatus.UNAUTHORIZED, "Missing principal")
         }
         propertyAccess.requireMember(propertyId, principal.userId)
-        propertyAccess.requireAnyRole(propertyId, principal.userId, Role.ADMIN)
+        if (isTempCard) {
+            propertyAccess.requireAnyRole(propertyId, principal.userId, Role.ADMIN, Role.MANAGER)
+        } else {
+            propertyAccess.requireAnyRole(propertyId, principal.userId, Role.ADMIN)
+        }
     }