diff --git a/app/controllers/accounts/stack_managers_controller.rb b/app/controllers/accounts/stack_managers_controller.rb
index 7ecfaa0c..3711c1c7 100644
--- a/app/controllers/accounts/stack_managers_controller.rb
+++ b/app/controllers/accounts/stack_managers_controller.rb
@@ -12,6 +12,11 @@ module Accounts
 
       # If the user is not having an email domain end in the
       # portainer stack url, don't log them out, just return a different unauthorized.
+      if !stack_manager.is_user?(current_user)
+        head :method_not_allowed
+        return
+      end
+
       if stack_manager.stack.client.authenticated?
         head :ok
       else
diff --git a/app/javascript/controllers/stack_manager/badge_controller.js b/app/javascript/controllers/stack_manager/badge_controller.js
index 98c6bf6d..821cec31 100644
--- a/app/javascript/controllers/stack_manager/badge_controller.js
+++ b/app/javascript/controllers/stack_manager/badge_controller.js
@@ -5,7 +5,7 @@ const AUTHENTICATION_VERIFICATION_METHOD = "authentication";
 const URL_VERIFICATION_METHOD = "url";
 
 export default class extends Controller {
-  static targets = [ "message", "verifyUrlSuccess", "verifyUrlError", "verifyUrlLoading" ]
+  static targets = [ "message", "verifyUrlSuccess", "verifyUrlError", "verifyUrlLoading", "verifyUrlNotAllowed" ]
 
   static values = {
     verificationMethod: String,
@@ -27,6 +27,8 @@ export default class extends Controller {
       this.logout();
     } else if (result === PortainerChecker.STATUS_OK) {
       this.verifyUrlSuccessTarget.classList.remove('hidden')
+    } else if (result === PortainerChecker.STATUS_NOT_ALLOWED) {
+      this.verifyUrlNotAllowedTarget.classList.remove('hidden')
     } else {
       this.verifyUrlErrorTarget.classList.remove('hidden')
     }
diff --git a/app/javascript/utils/portainer.js b/app/javascript/utils/portainer.js
index 7123e0ab..9a847d8d 100644
--- a/app/javascript/utils/portainer.js
+++ b/app/javascript/utils/portainer.js
@@ -1,6 +1,7 @@
 export class PortainerChecker {
   static STATUS_OK = "ok";
   static STATUS_UNAUTHORIZED = "unauthorized";
+  static STATUS_NOT_ALLOWED = "not_allowed";
   static STATUS_ERROR = "error";
 
   csrfToken() {
@@ -24,6 +25,10 @@ export class PortainerChecker {
       return PortainerChecker.STATUS_UNAUTHORIZED;
     }
 
+    if (response.status === 405) {
+      return PortainerChecker.STATUS_NOT_ALLOWED;
+    }
+
     if (response.status === 502) {
       return PortainerChecker.STATUS_ERROR;
     }
diff --git a/app/views/devise/sessions/_portainer_badge.html.erb b/app/views/devise/sessions/_portainer_badge.html.erb
index 50eaea00..80b2aebd 100644
--- a/app/views/devise/sessions/_portainer_badge.html.erb
+++ b/app/views/devise/sessions/_portainer_badge.html.erb
@@ -27,6 +27,13 @@
         >
           <iconify-icon icon="lucide:alert-circle" width="12" height="12" class="text-red-400 opacity-80 group-hover/badge:opacity-100 transition-opacity duration-200"></iconify-icon>
         </div>
+        <div
+          class="tooltip tooltip-bottom flex hidden"
+          data-tip="Your current login does not have access to this stack manager. Please logout and login with your portainer username and password."
+          data-stack-manager--badge-target="verifyUrlNotAllowed"
+        >
+          <iconify-icon icon="lucide:alert-circle" width="12" height="12" class="text-red-400 opacity-80 group-hover/badge:opacity-100 transition-opacity duration-200"></iconify-icon>
+        </div>
         <iconify-icon
           icon="lucide:loader-2"
           width="12"
diff --git a/lib/portainer/stack.rb b/lib/portainer/stack.rb
index 7c27c7ac..d51de5f7 100644
--- a/lib/portainer/stack.rb
+++ b/lib/portainer/stack.rb
@@ -12,7 +12,7 @@ class Portainer::Stack
   end
 
   def connect(user, allow_anonymous: false)
-    access_token = if stack_manager.access_token.present? && !enable_role_based_access_control
+    access_token = if stack_manager.access_token.present? && !stack_manager.enable_role_based_access_control
       stack_manager.access_token
     elsif stack_manager.access_token.present? && allow_anonymous
       stack_manager.access_token
diff --git a/spec/actions/projects/create_spec.rb b/spec/actions/projects/create_spec.rb
index 60092418..d7e21719 100644
--- a/spec/actions/projects/create_spec.rb
+++ b/spec/actions/projects/create_spec.rb
@@ -90,7 +90,7 @@ RSpec.describe Projects::Create do
 
     context 'in cloud mode' do
       before do
-        allow(Rails.application.config).to receive(:local_mode).and_return(false)
+        allow(Rails.application.config).to receive(:cloud_mode).and_return(true)
       end
 
       it 'validates with github and registers webhooks' do
@@ -105,7 +105,7 @@ RSpec.describe Projects::Create do
 
     context 'in local mode' do
       before do
-        allow(Rails.application.config).to receive(:local_mode).and_return(true)
+        allow(Rails.application.config).to receive(:cloud_mode).and_return(false)
       end
 
       it 'validates with github and does not register webhooks' do
diff --git a/spec/models/stack_manager_spec.rb b/spec/models/stack_manager_spec.rb
index 3d9671ba..e978b30d 100644
--- a/spec/models/stack_manager_spec.rb
+++ b/spec/models/stack_manager_spec.rb
@@ -107,4 +107,25 @@ RSpec.describe StackManager, type: :model do
       expect(stack_manager.provider_url).to eq(invalid_url)
     end
   end
+
+  describe '#domain_host' do
+    it 'returns the host' do
+      stack_manager = build(:stack_manager, provider_url: 'https://portainer.example.com:9443')
+      expect(stack_manager.domain_host).to eq('portainer.example.com')
+    end
+  end
+
+  describe '#is_user?' do
+    let(:stack_manager) { build(:stack_manager, provider_url: 'https://portainer.example.com') }
+
+    it 'returns true when user email ends with domain host' do
+      user = double('User', email: 'john@portainer.example.com')
+      expect(stack_manager.is_user?(user)).to be true
+    end
+
+    it 'returns false when user email does not end with domain host' do
+      user = double('User', email: 'john@otherdomain.com')
+      expect(stack_manager.is_user?(user)).to be false
+    end
+  end
 end