diff --git a/app/flask-postgres/app/permissions.py b/app/flask-postgres/app/permissions.py
index 19854a2..1205695 100644
--- a/app/flask-postgres/app/permissions.py
+++ b/app/flask-postgres/app/permissions.py
@@ -8,32 +8,47 @@ def is_video_allowed_for_level(filename: str, mandant_level: int | None) -> bool
     basename = os.path.basename(filename)
     first_char = basename[:1].upper()
 
-    if mandant_level in (0, 1):
+    # 0 = Admin = alles
+    if mandant_level == 0:
         return True
+
+    # 1 = Gold = A + B + C
+    if mandant_level == 1:
+        return first_char in ("A", "B", "C")
+
+    # 2 = Silber = A + B
     if mandant_level == 2:
         return first_char in ("A", "B")
+
+    # 3 = Bronze = A
     if mandant_level == 3:
         return first_char == "A"
 
     return False
 
-def get_available_courses_for_user():
-    level = session.get("mandant_level", 0)
 
-    conn = get_connection()
-    cur = conn.cursor()
 
-    cur.execute("""
-        SELECT id, code, title, description, video_file
-        FROM course
-        WHERE is_active = TRUE
-          AND min_level <= %s
-        ORDER BY sort_order, code
-    """, (level,))
+def is_course_allowed_for_level(code: str, mandant_level: int | None) -> bool:
+    if mandant_level is None:
+        return False
 
-    courses = fetchall_dict(cur)
+    prefix = (code or "")[:1].upper()
 
-    cur.close()
-    conn.close()
+    # 0 = Admin = alles
+    if mandant_level == 0:
+        return True
+
+    # 1 = Gold = A + B + C
+    if mandant_level == 1:
+        return prefix in ("A", "B", "C")
+
+    # 2 = Silber = A + B
+    if mandant_level == 2:
+        return prefix in ("A", "B")
+
+    # 3 = Bronze = A
+    if mandant_level == 3:
+        return prefix == "A"
+
+    return False
 
-    return courses
\ No newline at end of file
diff --git a/app/flask-postgres/tests/test_permissions.py b/app/flask-postgres/tests/test_permissions.py
index 9ff340c..6b72d5a 100644
--- a/app/flask-postgres/tests/test_permissions.py
+++ b/app/flask-postgres/tests/test_permissions.py
@@ -1,4 +1,28 @@
-from permissions import is_video_allowed_for_level
+from permissions import is_video_allowed_for_level, is_course_allowed_for_level
+
+
+def test_course_level_0_admin_sees_all():
+    assert is_course_allowed_for_level("A1", 0) is True
+    assert is_course_allowed_for_level("B1", 0) is True
+    assert is_course_allowed_for_level("C1", 0) is True
+
+
+def test_course_level_1_gold_sees_a_b_c():
+    assert is_course_allowed_for_level("A1", 1) is True
+    assert is_course_allowed_for_level("B1", 1) is True
+    assert is_course_allowed_for_level("C1", 1) is True
+
+
+def test_course_level_2_silber_sees_a_b():
+    assert is_course_allowed_for_level("A1", 2) is True
+    assert is_course_allowed_for_level("B1", 2) is True
+    assert is_course_allowed_for_level("C1", 2) is False
+
+
+def test_course_level_3_bronze_sees_only_a():
+    assert is_course_allowed_for_level("A1", 3) is True
+    assert is_course_allowed_for_level("B1", 3) is False
+    assert is_course_allowed_for_level("C1", 3) is False
 
 def test_level_0_sees_everything():
     assert is_video_allowed_for_level("A1.mp4", 0) is True