diff --git a/app/controllers/users/messages_controller.rb b/app/controllers/users/messages_controller.rb
index 5116f580f..4feb4a98e 100644
--- a/app/controllers/users/messages_controller.rb
+++ b/app/controllers/users/messages_controller.rb
@@ -1,6 +1,7 @@
 class Users::MessagesController < Users::BaseController 
   before_action :private_user_resources!
   before_action :find_receivers, only: [:create]
+  before_action :check_auth
 
   def index 
 		limit = params[:limit] || params[:per_page]
@@ -63,6 +64,10 @@ class Users::MessagesController < Users::BaseController
   end
 
   private 
+  def check_auth
+    return render_forbidden unless current_user.admin? || observed_logged_user?
+  end
+
   def message_type 
     @message_type = begin
       case params[:type]