diff --git a/tJango/permissions.py b/tJango/permissions.py
new file mode 100644
index 0000000..37e9db4
--- /dev/null
+++ b/tJango/permissions.py
@@ -0,0 +1,11 @@
+from rest_framework import permissions
+from user_token.views import TokenValidation
+
+
+class IsOwnerOrIsAdminOrHasToken(permissions.BasePermission):
+    def has_permission(self, request, view):
+        token = request.META.get("HTTP_DETECTIVE_TOKEN")
+        is_token_valid = bool(TokenValidation.check_token(token))
+        return (
+            is_token_valid | request.user.is_superuser | request.user.is_authenticated
+        )
diff --git a/user/views.py b/user/views.py
index d3670cc..c06946b 100644
--- a/user/views.py
+++ b/user/views.py
@@ -1,6 +1,7 @@
 from rest_framework.viewsets import ModelViewSet
 
 # from rest_framework.permissions import IsAuthenticatedOrReadOnly
+from tJango import permissions
 from .models import User
 from .serializers import UserSerializer
 
@@ -8,4 +9,4 @@ from .serializers import UserSerializer
 class UserViewSet(ModelViewSet):
     queryset = User.objects.all()
     serializer_class = UserSerializer
-    # permission_classes = [IsAuthenticatedOrReadOnly]
+    permission_classes = [permissions.IsOwnerOrIsAdminOrHasToken]
diff --git a/user_token/views.py b/user_token/views.py
index d0f3d36..2e41c15 100644
--- a/user_token/views.py
+++ b/user_token/views.py
@@ -9,3 +9,8 @@ class UserViewSet(ReadOnlyModelViewSet):
     queryset = UserToken.objects.all()
     serializer_class = UserTokenSerializer
     # permission_classes = [IsAuthenticatedOrReadOnly]
+
+
+class TokenValidation:
+    def check_token(value):
+        return UserToken.objects.filter(token=value)