diff --git a/backend/app/api/GroupAPI.py b/backend/app/api/GroupAPI.py
index a8b13c3..deaa810 100644
--- a/backend/app/api/GroupAPI.py
+++ b/backend/app/api/GroupAPI.py
@@ -3,15 +3,16 @@ import os
 from flask_restful import Resource, request
 
 from app.api import mailsModels
-from app.model import *
-from app.utils import *
+from app.api.LoginAPI import login_required
+from app.model import Roles, getGroup, getParam, getUser, USER, GROUP, TUTORSHIP
+from app.utils import send_mail, checkParams
 
 
 class GroupAPI(Resource):
     """
         Group Api Resource
     """
-
+    @login_required(roles=[Roles.resp_formation])
     def post(self):
         args = request.get_json(cache=False, force=True)
         if not checkParams(['name', 'year', 'class_short', 'class_long', 'department', 'resp_id', 'sec_id'], args):
diff --git a/backend/app/api/LivretAPI.py b/backend/app/api/LivretAPI.py
index ecd87cd..0667f1c 100644
--- a/backend/app/api/LivretAPI.py
+++ b/backend/app/api/LivretAPI.py
@@ -3,15 +3,15 @@ import os
 from flask_restful import Resource, request
 
 from app.api import mailsModels
-from app.model import *
-from app.utils import *
-
+from app.model import Roles, getParam, getGroup, getUser, USER, GROUP, TUTORSHIP
+from app.utils import send_mail, checkParams
+from app.api.LoginAPI import login_required
 
 class LivretAPI(Resource):
     """
         Livret Api Resource
     """
-
+    @login_required(roles=[Roles.etudiant])
     def post(self):
         args = request.get_json(cache=False, force=True)
         if not checkParams(['name', 'year', 'class_short', 'class_long', 'department', 'resp_id', 'sec_id'], args):
diff --git a/backend/app/api/LoginAPI.py b/backend/app/api/LoginAPI.py
index c426fb3..b388529 100644
--- a/backend/app/api/LoginAPI.py
+++ b/backend/app/api/LoginAPI.py
@@ -49,3 +49,15 @@ class LoginAPI(Resource):
         session['user'] = None
         return {'AUTH_RESULT': 'OK'}, 200
 
+
+
+def login_required(roles=[]):
+    def my_login_required(func):
+        def wrapper(*args):
+            current_user = session.get('user', None)
+            if current_user is None or (len(roles) != 0 and not sum([1 for x in current_user['role'].split("-") if int(x) in roles]) > 0):
+                return {"msg": "UNAUTHORIZED"}, 401
+            return func(*args)
+        return wrapper
+    return my_login_required
+
diff --git a/backend/app/api/PdfAPI.py b/backend/app/api/PdfAPI.py
index a1e7105..bf831d1 100644
--- a/backend/app/api/PdfAPI.py
+++ b/backend/app/api/PdfAPI.py
@@ -1,29 +1,29 @@
-import os
-
-from flask import request
 from flask_restful import Resource
 from flask_restful.reqparse import RequestParser
+from app.tools.LibPdf import delete_file
 from model import getParam
+from werkzeug.utils import secure_filename
 
 from app.model import getGroup
-from app.tools.LibPdf import delete_file, upload_file, allowed_file
+from app.tools.LibPdf import upload_file, allowed_file
+from app.api.LoginAPI import login_required
 
+import os
+import request
 
 class PdfAPI(Resource):
     """
         Pdf Api Resource
     """
-
+    @login_required()
     def delete(self):
         parser = RequestParser()
         parser.add_argument('templateName', required=True, help="Template name is required !")
         args = parser.parse_args()
 
-        if ".." in args:
-            return {"msg": ".. not allowed in path"}, 400
-
-        delete_file(os.path.join(getParam('TEMPLATES_DIRECTORY'), args['templateName']))
+        delete_file(os.path.join(getParam('TEMPLATES_DIRECTORY'), secure_filename(args['templateName'])))
 
+    @login_required()
     def post(self):
         """
         Upload d'un template
diff --git a/backend/app/api/UserAPI.py b/backend/app/api/UserAPI.py
index f9bfbcb..5b61425 100644
--- a/backend/app/api/UserAPI.py
+++ b/backend/app/api/UserAPI.py
@@ -2,15 +2,15 @@ from hashlib import sha256
 
 from flask_restful import Resource, request
 
-from app.model import *
+from app.model import Roles, getUser, hashExists, USER
 from app.utils import checkParams, get_random_string
-
+from app.api.LoginAPI import login_required
 
 class UserAPI(Resource):
     """
         User Api Resource
     """
-
+    @login_required(roles=[Roles.resp_formation])
     def post(self):
         args = request.get_json(cache=False, force=True)
         if not checkParams(['role', 'email', 'name'], args):
diff --git a/backend/app/api/UserInfoAPI.py b/backend/app/api/UserInfoAPI.py
index c1807e9..5e2f6cc 100644
--- a/backend/app/api/UserInfoAPI.py
+++ b/backend/app/api/UserInfoAPI.py
@@ -1,7 +1,7 @@
 from flask import session
 from flask_restful import Resource
-
-from app.model import *
+from app.api.LoginAPI import login_required
+from app.model import LIVRET, TUTORSHIP, and_
 
 
 class UserInfoAPI(Resource):
@@ -9,6 +9,7 @@ class UserInfoAPI(Resource):
         UserInfo Api Resource
     """
 
+    @login_required()
     def get(self):
         user = session.get("user", None)
         return {'USER': user}, 200
@@ -18,7 +19,7 @@ class UserGroupsAPI(Resource):
     """
         UserGroups Api Resource
     """
-
+    @login_required()
     def get(self):
         user = session.get("user", None)
         if user is not None:
diff --git a/backend/app/model.py b/backend/app/model.py
index 70cc838..6179978 100644
--- a/backend/app/model.py
+++ b/backend/app/model.py
@@ -91,3 +91,11 @@ def hashExists(test):
     rows = query.execute()
     res = rows.first()
     return res is not None
+
+
+class Roles:
+    secretaire = 1
+    resp_formation = 2
+    tuteur_univ = 3
+    etudiant = 4
+    tuteur_entreprise = 5