diff --git a/index/views.py b/index/views.py
index 766792a..6db98b5 100644
--- a/index/views.py
+++ b/index/views.py
@@ -3,7 +3,7 @@ import os
 from django.http import HttpResponse, HttpResponseRedirect, HttpResponseForbidden
 from django.shortcuts import render
 # from django.db.models import Manager
-from django.contrib.auth.decorators import login_required
+from django.contrib.auth.decorators import login_required, permission_required
 
 # только для тестирования!
 import requests
@@ -16,24 +16,20 @@ def view_index(request):
     return render(request, 'index.html')
 
 
+@permission_required(perm='view_logs', raise_exception=True)
 def view_stats(request):
-    if request.user.is_authenticated:
-        # только для тестирования!
-        res = requests.get(TEST_BASE_FETCH + "?stats", headers={'Authorization': os.getenv("TEST_AUTH")})
-        response = HttpResponse(res.content)
-        response.headers["Content-type"] = response.headers["Content-type"]
-        return response
-    else:
-        return HttpResponseForbidden()
+    # только для тестирования!
+    res = requests.get(TEST_BASE_FETCH + "?stats", headers={'Authorization': os.getenv("TEST_AUTH")})
+    response = HttpResponse(res.content)
+    response.headers["Content-type"] = response.headers["Content-type"]
+    return response
 
 
+@permission_required(perm='view_logs', raise_exception=True)
 def view_tank_chart(request):
-    if request.user.is_authenticated:
-        # только для тестирования!
-        days = request.GET.get('days', '7')
-        res = requests.get(TEST_BASE_FETCH + "?tank_chart=" + days, headers={'Authorization': os.getenv("TEST_AUTH")})
-        response = HttpResponse(res.content)
-        response.headers["Content-type"] = response.headers["Content-type"]
-        return response
-    else:
-        return HttpResponseForbidden()
+    # только для тестирования!
+    days = request.GET.get('days', '7')
+    res = requests.get(TEST_BASE_FETCH + "?tank_chart=" + days, headers={'Authorization': os.getenv("TEST_AUTH")})
+    response = HttpResponse(res.content)
+    response.headers["Content-type"] = response.headers["Content-type"]
+    return response
diff --git a/users/models.py b/users/models.py
index 797a21e..f403bca 100644
--- a/users/models.py
+++ b/users/models.py
@@ -2,7 +2,7 @@ from django.contrib.auth.models import AbstractBaseUser
 from django.db import models
 from django.utils import timezone
 from django.core.validators import MinLengthValidator
-
+import ospaz_site.settings as settings
 from .managers import CustomUserManager
 
 
@@ -35,7 +35,34 @@ class User(AbstractBaseUser):
         default_permissions = ()
 
     def has_perm(self, perm, obj=None):
-        return self.is_superuser
+        # управления правами пользователя
+        secure_level = -1
+        if self.is_authenticated:
+            secure_level = 0
+        if self.is_superuser:
+            secure_level = 1
+
+        permissions = {
+            'view_logs': 0,
+            'change_users': 1,
+
+            'users.add_user': 1,
+            'users.change_user': 1,
+            'users.delete_user': 1,
+            'users.view_user': 1
+        }
+        if perm in permissions:
+            if permissions[perm] <= secure_level:
+                return True
+        elif settings.DEBUG:
+            print(f"User.has_perm: unknown permission - '{perm}'")
+        return False
+
+    def has_perms(self, perm_list, obj=None):
+        for p in perm_list:
+            if not self.has_perm(p, obj):
+                return False
+        return True
 
     def has_module_perms(self, package_name):
         return self.is_superuser