diff --git a/app/Http/Controllers/Api/Client/Servers/SubuserController.php b/app/Http/Controllers/Api/Client/Servers/SubuserController.php
index 5985689d4..077a46149 100644
--- a/app/Http/Controllers/Api/Client/Servers/SubuserController.php
+++ b/app/Http/Controllers/Api/Client/Servers/SubuserController.php
@@ -138,15 +138,7 @@ class SubuserController extends ClientApiController
      */
     protected function getDefaultPermissions(Request $request): array
     {
-        $allowed = Permission::permissions()
-            ->map(function ($value, $prefix) {
-                return array_map(function ($value) use ($prefix) {
-                    return "$prefix.$value";
-                }, array_keys($value['keys']));
-            })
-            ->flatten()
-            ->all();
-
+        $allowed = Permission::permissionKeys()->all();
         $cleaned = array_intersect($request->input('permissions') ?? [], $allowed);
 
         return array_unique(array_merge($cleaned, [Permission::ACTION_WEBSOCKET_CONNECT]));
diff --git a/app/Http/Requests/Api/Client/Servers/SendPowerRequest.php b/app/Http/Requests/Api/Client/Servers/SendPowerRequest.php
index 517c2c06d..26e4786b2 100644
--- a/app/Http/Requests/Api/Client/Servers/SendPowerRequest.php
+++ b/app/Http/Requests/Api/Client/Servers/SendPowerRequest.php
@@ -22,7 +22,8 @@ class SendPowerRequest extends ClientApiRequest
                 return Permission::ACTION_CONTROL_RESTART;
         }
 
-        return '__invalid';
+        // Fallback for invalid signals
+        return Permission::ACTION_WEBSOCKET_CONNECT;
     }
 
     /**
diff --git a/app/Models/Permission.php b/app/Models/Permission.php
index 82718f06f..a9b5a79c3 100644
--- a/app/Models/Permission.php
+++ b/app/Models/Permission.php
@@ -211,4 +211,11 @@ class Permission extends Model implements Validatable
 
         return collect($permissions);
     }
+
+    public static function permissionKeys(): Collection
+    {
+        return static::permissions()
+            ->map(fn ($value, $prefix) => array_map(fn ($value) => "$prefix.$value", array_keys($value['keys'])))
+            ->flatten();
+    }
 }
diff --git a/app/Policies/ServerPolicy.php b/app/Policies/ServerPolicy.php
index 539ae2712..d032405d7 100644
--- a/app/Policies/ServerPolicy.php
+++ b/app/Policies/ServerPolicy.php
@@ -2,6 +2,7 @@
 
 namespace App\Policies;
 
+use App\Models\Permission;
 use App\Models\Server;
 use App\Models\User;
 
@@ -21,15 +22,17 @@ class ServerPolicy
             return null;
         }
 
-        // Owner has full server permissions
-        if ($server->owner_id === $user->id) {
-            return true;
-        }
+        if (Permission::permissionKeys()->contains($ability)) {
+            // Owner has full server permissions
+            if ($server->owner_id === $user->id) {
+                return true;
+            }
 
-        $subuser = $server->subusers->where('user_id', $user->id)->first();
-        // If the user is a subuser check their permissions
-        if ($subuser && in_array($ability, $subuser->permissions)) {
-            return true;
+            $subuser = $server->subusers->where('user_id', $user->id)->first();
+            // If the user is a subuser check their permissions
+            if ($subuser && in_array($ability, $subuser->permissions)) {
+                return true;
+            }
         }
 
         // Make sure user can target node of the server