diff --git a/back_latienda/permissions.py b/back_latienda/permissions.py
index 095d56e..8368e6d 100644
--- a/back_latienda/permissions.py
+++ b/back_latienda/permissions.py
@@ -41,13 +41,24 @@ class CustomUserPermissions(permissions.BasePermission):
     """
     Custom permissions for managing custom user instances
     """
+
+    def has_object_permission(self, request, view, obj):
+        # check for object permissions
+        if obj.email == request.user.email:
+            return True
+        elif request.user.is_staff is True:
+            return True
+        else:
+            return False
+
     def has_permission(self, request, view):
         # allow anon users to create new CustomUser (inactive)
         if request.method == 'POST' and request.user.is_anonymous is True:
             return True
-
+        elif request.method == 'PUT' and request.user.is_authenticated is True:
+            return True
         # only admins can change or delete
-        if request.user.is_staff is True:
+        elif request.user.is_staff is True:
             return True
 
         # for everything else
diff --git a/core/models.py b/core/models.py
index 111900b..d36482c 100644
--- a/core/models.py
+++ b/core/models.py
@@ -46,8 +46,8 @@ class CustomUser(AbstractBaseUser, PermissionsMixin):
     email_verified = models.BooleanField('Email verificado', default=False, null=True)
     company = models.ForeignKey(Company, null=True, on_delete=models.DO_NOTHING, related_name='custom_user')
 
-    is_active = models.BooleanField('Activo', default=True)
-    is_staff = models.BooleanField('Empleado',default=False )
+    is_active = models.BooleanField('Activo', default=False)
+    is_staff = models.BooleanField('Empleado',default=False)
 
     modified = models.DateTimeField(auto_now=True, null=True, blank=True)
     created = models.DateTimeField(auto_now_add=True, null=True, blank=True)
diff --git a/core/serializers.py b/core/serializers.py
index b1443f7..8ba39c4 100644
--- a/core/serializers.py
+++ b/core/serializers.py
@@ -11,14 +11,14 @@ class CustomUserReadSerializer(serializers.ModelSerializer):
 
     class Meta:
         model = User
-        fields = ('email', 'full_name', 'role', 'is_active',)
+        fields = ('email', 'full_name', 'role', 'is_active', 'provider')
 
 
 class CustomUserWriteSerializer(serializers.ModelSerializer):
 
     class Meta:
         model = User
-        fields = ('email', 'full_name', 'role', 'is_active', 'password')
+        fields = ('email', 'full_name', 'role', 'password', 'provider')
 
 
 class CreatorSerializer(serializers.ModelSerializer):
diff --git a/core/tests.py b/core/tests.py
index 822e900..13f8cb2 100644
--- a/core/tests.py
+++ b/core/tests.py
@@ -43,6 +43,7 @@ class CustomUserViewSetTest(APITestCase):
             'email': 'test@email.com',
             'full_name': 'TEST NAME',
             'password': 'VENTILADORES1234499.89',
+            'provider': 'TWITTER',
         }
 
         # Query endpoint
@@ -57,7 +58,6 @@ class CustomUserViewSetTest(APITestCase):
         self.assertNotEqual('', new_user.password)
         # assert instance is inactive
         info = json.loads(response.content)
-
         self.assertFalse(info['is_active'])
 
     def test_anon_user_cannot_modify_existing_instance(self):
@@ -110,6 +110,27 @@ class CustomUserViewSetTest(APITestCase):
         # Assert access is forbidden
         self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
 
+    def test_regular_user_can_modify_own_instance(self):
+        """Regular user can modify own instance
+        """
+        # Create instance
+        data = {
+            "email": "new_email@mail.com",
+            "full_name": "New Full Name",
+            "password": "SUPERSECRETNEWPASSWORD",
+        }
+
+        # Authenticate
+        token = get_tokens_for_user(self.user)
+        self.client.credentials(HTTP_AUTHORIZATION=f"Bearer {token['access']}")
+
+        # Query endpoint
+        url = self.endpoint + f'{self.user.pk}/'
+        response = self.client.put(url, data=data, format='json')
+
+        # Assert forbidden code
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
     def test_regular_user_cannot_modify_existing_instance(self):
         """Regular user cannot modify existing instance
         """
diff --git a/core/views.py b/core/views.py
index e8265e3..0d4119e 100644
--- a/core/views.py
+++ b/core/views.py
@@ -1,4 +1,4 @@
-from django.shortcuts import render
+from django.shortcuts import render, get_object_or_404
 from django.http import HttpResponse
 
 from rest_framework import status
@@ -44,3 +44,8 @@ class CustomUserViewSet(viewsets.ModelViewSet):
                     serializer.errors, status=status.HTTP_406_NOT_ACCEPTABLE)
         except Exception as e:
             return Response(str(e), status=status.HTTP_500_INTERNAL_SERVER_ERROR)
+
+    def get_object(self):
+        obj = get_object_or_404(self.get_queryset(), pk=self.kwargs["pk"])
+        self.check_object_permissions(self.request, obj)
+        return obj
\ No newline at end of file