diff --git a/backend/clubs/permissions.py b/backend/clubs/permissions.py
index 59fda9db7..9640d8b4f 100644
--- a/backend/clubs/permissions.py
+++ b/backend/clubs/permissions.py
@@ -571,19 +571,19 @@ class TicketTransactionPermission(permissions.BasePermission):
     """
 
     def has_permission(self, request, view):
-        if request.user.is_superuser:
-            return True
-
-        event_id = request.query_params.get("event_id")
-        if not event_id:
-            return False
-
         if not request.user.is_authenticated:
             return False
 
+        if request.user.is_superuser:
+            return True
+
         if request.user.has_perm("clubs.manage_club"):
             return True
 
+        event_id = request.query_params.get("event_id", None)
+        if not event_id:
+            return False
+
         try:
             event = Event.objects.get(id=event_id)
             membership = find_membership_helper(request.user, event.club)
diff --git a/backend/clubs/views.py b/backend/clubs/views.py
index b4cebf8d4..3feab2328 100644
--- a/backend/clubs/views.py
+++ b/backend/clubs/views.py
@@ -5975,6 +5975,13 @@ def refund(self, request, *args, **kwargs):
         Marks the transaction as refunded, makes tickets available again,
         and sends confirmation emails to the buyer and event organizer.
         ---
+        requestBody:
+            content:
+                application/json:
+                    schema:
+                        type: object
+                        properties: {}
+                        required: []
         responses:
             "200":
                 content: