diff --git a/backend/ipLab/data.mv.db b/backend/ipLab/data.mv.db
index d358ec9..beb5caa 100644
Binary files a/backend/ipLab/data.mv.db and b/backend/ipLab/data.mv.db differ
diff --git a/backend/ipLab/src/main/java/com/example/ipLab/StoreDataBase/Configurations/SecurityConfiguration.java b/backend/ipLab/src/main/java/com/example/ipLab/StoreDataBase/Configurations/SecurityConfiguration.java
index 992e0d2..6aefd06 100644
--- a/backend/ipLab/src/main/java/com/example/ipLab/StoreDataBase/Configurations/SecurityConfiguration.java
+++ b/backend/ipLab/src/main/java/com/example/ipLab/StoreDataBase/Configurations/SecurityConfiguration.java
@@ -63,6 +63,10 @@ public class SecurityConfiguration {
                         .requestMatchers(HttpMethod.DELETE, "/api/**").hasRole("ADMIN")
                         .requestMatchers(HttpMethod.PUT, "/api/**").hasRole("ADMIN")
                         .requestMatchers(HttpMethod.POST, "/api/**").hasRole("ADMIN")
+                        .requestMatchers(HttpMethod.GET, "/api/customer/**").hasRole("ADMIN")
+                        .requestMatchers(HttpMethod.GET, "/api/store/addStore/**").hasRole("ADMIN")
+                        .requestMatchers(HttpMethod.GET, "/customer/**").hasRole("ADMIN")
+                        .requestMatchers(HttpMethod.GET, "/store/addToStore/**").hasRole("ADMIN")
                         .requestMatchers("/api/**").authenticated()
                         .requestMatchers(HttpMethod.POST, UserController.URL_LOGIN).permitAll()
                         .requestMatchers(HttpMethod.GET, "/img/**").permitAll())
diff --git a/backend/ipLab/src/main/java/com/example/ipLab/StoreDataBase/Controllers/CustomerController.java b/backend/ipLab/src/main/java/com/example/ipLab/StoreDataBase/Controllers/CustomerController.java
index a1c9c23..30ef893 100644
--- a/backend/ipLab/src/main/java/com/example/ipLab/StoreDataBase/Controllers/CustomerController.java
+++ b/backend/ipLab/src/main/java/com/example/ipLab/StoreDataBase/Controllers/CustomerController.java
@@ -1,10 +1,14 @@
 package com.example.ipLab.StoreDataBase.Controllers;
 
 import com.example.ipLab.StoreDataBase.DTO.CustomerDTO;
+import com.example.ipLab.StoreDataBase.Exceptions.ForbiddenException;
+import com.example.ipLab.StoreDataBase.Model.CustomUser;
 import com.example.ipLab.StoreDataBase.Model.Customer;
+import com.example.ipLab.StoreDataBase.Model.UserRole;
 import com.example.ipLab.StoreDataBase.Service.CustomerService;
 import com.example.ipLab.WebConfiguration;
 import jakarta.validation.Valid;
+import org.springframework.security.core.annotation.AuthenticationPrincipal;
 import org.springframework.web.bind.annotation.*;
 
 import java.util.List;
@@ -24,7 +28,7 @@ public class CustomerController {
     }
 
     @GetMapping
-    public List<CustomerDTO> getCustomers(){
+    public List<CustomerDTO> getCustomers(@AuthenticationPrincipal CustomUser user){
         return  customerService.getAllCustomers().stream()
                 .map(CustomerDTO::new)
                 .toList();
diff --git a/backend/ipLab/src/main/java/com/example/ipLab/StoreDataBase/Exceptions/ForbiddenException.java b/backend/ipLab/src/main/java/com/example/ipLab/StoreDataBase/Exceptions/ForbiddenException.java
new file mode 100644
index 0000000..580c4b2
--- /dev/null
+++ b/backend/ipLab/src/main/java/com/example/ipLab/StoreDataBase/Exceptions/ForbiddenException.java
@@ -0,0 +1,8 @@
+package com.example.ipLab.StoreDataBase.Exceptions;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.web.bind.annotation.ResponseStatus;
+
+@ResponseStatus(HttpStatus.FORBIDDEN)
+public class ForbiddenException extends RuntimeException {
+}
diff --git a/backend/ipLab/src/main/resources/templates/customer.html b/backend/ipLab/src/main/resources/templates/customer.html
index 352bbed..f69045e 100644
--- a/backend/ipLab/src/main/resources/templates/customer.html
+++ b/backend/ipLab/src/main/resources/templates/customer.html
@@ -5,52 +5,60 @@
 <head>
 </head>
 <body>
-<div sec:authorize="hasRole('ROLE_ADMIN')" layout:fragment="content">
-    <div>
-        <a class="btn btn-success button-fixed"
-           th:href="@{/customer/edit/}">
-            <i class="fa-solid fa-plus"></i> Добавить
-        </a>
+<div layout:fragment="content">
+    <div sec:authorize="hasRole('ROLE_ADMIN')">
+        <div>
+            <a class="btn btn-success button-fixed"
+               th:href="@{/customer/edit/}">
+                <i class="fa-solid fa-plus"></i> Добавить
+            </a>
+        </div>
+        <div class="table-responsive">
+            <table class="table table-success table-hover">
+                <thead>
+                <tr>
+                    <th scope="col">#</th>
+                    <th scope="col">ID</th>
+                    <th scope="col">Фамилия</th>
+                    <th scope="col">Имя</th>
+                    <th scope="col">Отчество</th>
+                    <th scope="col"></th>
+                </tr>
+                </thead>
+                <tbody>
+                <tr th:each="customer, iterator: ${customers}">
+                    <th scope="row" th:text="${iterator.index} + 1"/>
+                    <td th:text="${customer.Id}"/>
+                    <td th:text="${customer.lastName}"/>
+                    <td th:text="${customer.firstName}"/>
+                    <td th:text="${customer.middleName}"/>
+                    <td style="width: 10%">
+                        <div class="btn-group" role="group" aria-label="Basic example">
+                            <a class="btn btn-warning button-fixed button-sm"
+                               th:href="@{/customer/edit/{id}(id=${customer.id})}">
+                                <i class="fa fa-pencil" aria-hidden="true"></i> Изменить
+                            </a>
+                            <button type="button" class="btn btn-danger button-fixed button-sm"
+                                    th:attr="onclick=|confirm('Удалить запись?') && document.getElementById('remove-${customer.id}').click()|">
+                                <i class="fa fa-trash" aria-hidden="true"></i> Удалить
+                            </button>
+                        </div>
+                        <form th:action="@{/customer/delete/{id}(id=${customer.id})}" method="post">
+                            <button th:id="'remove-' + ${customer.id}" type="submit" style="display: none">
+                                Удалить
+                            </button>
+                        </form>
+                    </td>
+                </tr>
+                </tbody>
+            </table>
+        </div>
     </div>
-    <div class="table-responsive">
-        <table class="table table-success table-hover">
-            <thead>
-            <tr>
-                <th scope="col">#</th>
-                <th scope="col">ID</th>
-                <th scope="col">Фамилия</th>
-                <th scope="col">Имя</th>
-                <th scope="col">Отчество</th>
-                <th scope="col"></th>
-            </tr>
-            </thead>
-            <tbody>
-            <tr th:each="customer, iterator: ${customers}">
-                <th scope="row" th:text="${iterator.index} + 1"/>
-                <td th:text="${customer.Id}"/>
-                <td th:text="${customer.lastName}"/>
-                <td th:text="${customer.firstName}"/>
-                <td th:text="${customer.middleName}"/>
-                <td style="width: 10%">
-                    <div class="btn-group" role="group" aria-label="Basic example">
-                        <a class="btn btn-warning button-fixed button-sm"
-                           th:href="@{/customer/edit/{id}(id=${customer.id})}">
-                            <i class="fa fa-pencil" aria-hidden="true"></i> Изменить
-                        </a>
-                        <button type="button" class="btn btn-danger button-fixed button-sm"
-                                th:attr="onclick=|confirm('Удалить запись?') && document.getElementById('remove-${customer.id}').click()|">
-                            <i class="fa fa-trash" aria-hidden="true"></i> Удалить
-                        </button>
-                    </div>
-                    <form th:action="@{/customer/delete/{id}(id=${customer.id})}" method="post">
-                        <button th:id="'remove-' + ${customer.id}" type="submit" style="display: none">
-                            Удалить
-                        </button>
-                    </form>
-                </td>
-            </tr>
-            </tbody>
-        </table>
+    <div sec:authorize="hasRole('ROLE_USER')">
+        <div>
+            <h2>Forbidden</h2>
+            <a href="/">На главную</a>
+        </div>
     </div>
 </div>
 </body>
diff --git a/frontend/src/App.jsx b/frontend/src/App.jsx
index fc8eb73..106c6ba 100644
--- a/frontend/src/App.jsx
+++ b/frontend/src/App.jsx
@@ -8,6 +8,7 @@ import OrderPage from './components/pages/orderPage';
 import AddToStorePage from './components/pages/addToStorePage';
 import LoginPage from './components/pages/loginPage';
 import Logout from './components/pages/logout';
+import ForbiddenPage from './components/pages/forbiddenPage'
 import './styleSite.css';
 
 function Router(props) {
@@ -18,10 +19,12 @@ export default function App() {
   const routes = [
     { index: true, element: <StorePage/> },
     localStorage.getItem("role") === "ADMIN" && { path: 'customer', element: <CustomerPage/>, label:'Покупатели'},
+    localStorage.getItem("role") !== "ADMIN" && { path: 'customer', element: <ForbiddenPage/>},
     { path: 'store', element: <StorePage/>, label: 'Магазины' },
     { path: 'product', element: <ProductPage/>, label: 'Товары' },
     { path: 'order', element: <OrderPage/>, label: 'Заказы'},
     localStorage.getItem("role") === "ADMIN" && { path: 'addToStore', element: <AddToStorePage/>, label: 'Доставка'},
+    localStorage.getItem("role") !== "ADMIN" && { path: 'addToStore', element: <ForbiddenPage/>},
     { path: '/login', element: <LoginPage/>},
     { path: '/logout', element: <Logout/>}
   ];
diff --git a/frontend/src/components/pages/customerPage.jsx b/frontend/src/components/pages/customerPage.jsx
index 3d5885f..d819984 100644
--- a/frontend/src/components/pages/customerPage.jsx
+++ b/frontend/src/components/pages/customerPage.jsx
@@ -28,7 +28,7 @@ function CustomerPage(){
     }
     return(
         <article className="h-100 mt-0 mb-0 d-flex flex-column justify-content-between">
-        <CustomerTable headers={catalogCustomerHeaders} 
+        {localStorage.getItem("role") === "ADMIN" && <CustomerTable headers={catalogCustomerHeaders} 
             getAllUrl={url}
             url={url}
             getUrl={getUrl}
@@ -48,7 +48,12 @@ function CustomerPage(){
             <label className="form-label" forhtml="middleName">Отчество</label>
             <input className="form-control" type="text" id="middleName" value={data.middleName} onChange={handleFormChange} required="required"/>
           </div>
-        </CustomerTable>
+        </CustomerTable>}
+        {localStorage.getItem("role") !== "ADMIN" && 
+          <div>
+            <h2>Forbidden</h2>
+            <a href="/">На главную</a>
+          </div>}
       </article>
     )
 }
diff --git a/frontend/src/components/pages/forbiddenPage.jsx b/frontend/src/components/pages/forbiddenPage.jsx
new file mode 100644
index 0000000..01982a7
--- /dev/null
+++ b/frontend/src/components/pages/forbiddenPage.jsx
@@ -0,0 +1,8 @@
+export default function ForbiddenPage(){
+    return(
+        <div>
+            <h2>Forbidden</h2>
+            <a href="/">На главную</a>
+        </div>
+    )
+}
\ No newline at end of file