diff --git a/pillar/application/utils/authorization.py b/pillar/application/utils/authorization.py
index bebf229d..54056774 100644
--- a/pillar/application/utils/authorization.py
+++ b/pillar/application/utils/authorization.py
@@ -313,7 +313,8 @@ def user_has_role(role, user=None):
     if user is None:
         return False
 
-    return role in user['roles']
+    roles = user.get('roles') or ()
+    return role in roles
 
 
 def user_matches_roles(require_roles=set(),
diff --git a/tests/test_auth.py b/tests/test_auth.py
index 76d396f0..6ad723a4 100644
--- a/tests/test_auth.py
+++ b/tests/test_auth.py
@@ -573,3 +573,14 @@ class RequireRolesTest(AbstractPillarTest):
                               'roles': [u'service', u'badger']}
             call_me()
         self.assertTrue(called[0])
+
+    def test_user_has_role(self):
+        from application.utils.authorization import user_has_role
+
+        with self.app.test_request_context():
+            self.assertTrue(user_has_role('subscriber', {'roles': ['aap', 'noot', 'subscriber']}))
+            self.assertTrue(user_has_role('subscriber', {'roles': [u'aap', u'subscriber']}))
+            self.assertFalse(user_has_role('admin', {'roles': [u'aap', u'noot', u'subscriber']}))
+            self.assertFalse(user_has_role('admin', {'roles': []}))
+            self.assertFalse(user_has_role('admin', {'roles': None}))
+            self.assertFalse(user_has_role('admin', {}))