diff --git a/app/controllers/users/headmaps_controller.rb b/app/controllers/users/headmaps_controller.rb
index 7c88b5681..7faba1e50 100644
--- a/app/controllers/users/headmaps_controller.rb
+++ b/app/controllers/users/headmaps_controller.rb
@@ -10,15 +10,15 @@ class Users::HeadmapsController < Users::BaseController
   private 
   def start_stamp
     if params[:year].present?
-      Date.new(params[:year], 1).to_time.to_i
+      Date.new(params[:year].to_i, 1).to_time.to_i
     else 
-      Date.today.to_time.to_i - 365*24*60*60
+      (Date.today  - 1.years).to_time.to_i  
     end
   end
 
   def end_stamp 
     if params[:year].present?
-      Date.new(params[:year], 1).to_time.to_i + 365*24*60*60
+      (Date.new(params[:year].to_i, 1) + 1.years).to_time.to_i
     else 
       Date.today.to_time.to_i 
     end
diff --git a/app/controllers/users/messages_controller.rb b/app/controllers/users/messages_controller.rb
index 5116f580f..4feb4a98e 100644
--- a/app/controllers/users/messages_controller.rb
+++ b/app/controllers/users/messages_controller.rb
@@ -1,6 +1,7 @@
 class Users::MessagesController < Users::BaseController 
   before_action :private_user_resources!
   before_action :find_receivers, only: [:create]
+  before_action :check_auth
 
   def index 
 		limit = params[:limit] || params[:per_page]
@@ -63,6 +64,10 @@ class Users::MessagesController < Users::BaseController
   end
 
   private 
+  def check_auth
+    return render_forbidden unless current_user.admin? || observed_logged_user?
+  end
+
   def message_type 
     @message_type = begin
       case params[:type]