diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 4cb2b061..a6f8fdc4 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -110,3 +110,8 @@ repos:
         language: system
         files: ^resources/.*\.php$
         exclude: ^resources/lib/UnityHTTPD\.php$
+      - id: assert-forbidden-used
+        name: Assert forbidden() is used
+        entry: bash ./test/assert-forbidden-used.bash
+        language: system
+        files: ^webroot/admin/.*\.php$
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index d553ae9e..e841dd29 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -22,6 +22,7 @@
   This will enable strict mode and throw an exception rather than returning `false`.
 - `UnityHTTPD`'s user-facing error functionality (ex: `badRequest`) should only be called from `webroot/**/*.php`.
   `resources/**/*.php` should throw exceptions instead.
+- all pages under `webroot/admin/` must check for `$USER->isAdmin()` and call `UnityHTTPD::forbidden()` if not admin.
 
 This repository will automatically check PRs for linting compliance.
 
diff --git a/test/assert-forbidden-used.bash b/test/assert-forbidden-used.bash
new file mode 100644
index 00000000..f5c1524b
--- /dev/null
+++ b/test/assert-forbidden-used.bash
@@ -0,0 +1,20 @@
+set -euo pipefail
+trap 's=$?; echo "$0: Error on line "$LINENO": $BASH_COMMAND"; exit $s' ERR
+if [[ $# -lt 1 ]]; then
+    echo "at least one argument required"
+    exit 1
+fi
+
+rc=0
+for file in "$@"; do
+    grep_rc=0; grep -q UnityHTTPD::forbidden "$file" || grep_rc=$?
+    case "$grep_rc" in
+        0)
+            : ;; # code is good, do nothing
+        1)
+            echo "UnityHTTPD::forbidden() was not called in file '$file'!"; rc=1 ;;
+        *)
+            echo "grep failed!";  rc=1 ;;
+    esac
+done
+exit "$rc"