diff --git a/backend/src/main/java/ovh/herisson/Clyde/EndPoints/UserController.java b/backend/src/main/java/ovh/herisson/Clyde/EndPoints/UserController.java
index 43bcd0c..4a20058 100644
--- a/backend/src/main/java/ovh/herisson/Clyde/EndPoints/UserController.java
+++ b/backend/src/main/java/ovh/herisson/Clyde/EndPoints/UserController.java
@@ -8,8 +8,11 @@ import org.springframework.web.bind.annotation.*;
 import ovh.herisson.Clyde.Responses.UnauthorizedResponse;
 import ovh.herisson.Clyde.Services.AuthenticatorService;
 import ovh.herisson.Clyde.Services.UserService;
+import ovh.herisson.Clyde.Tables.Role;
 import ovh.herisson.Clyde.Tables.User;
 
+import java.util.ArrayList;
+
 
 @RestController
 @CrossOrigin(origins = "http://localhost:5173")
@@ -23,25 +26,57 @@ public class UserController {
     }
 
     @GetMapping("/user")
-    public ResponseEntity<User> getUser(@RequestHeader("Cookie") String authorization){
+    public ResponseEntity<Object[]> getUser(@RequestHeader("Authorization") String authorization){
 
         if (authorization == null) return new UnauthorizedResponse<>(null);
         User user = authServ.getUserFromToken(authorization);
         if (user == null) return new UnauthorizedResponse<>(null);
-        return new ResponseEntity<>(user, HttpStatus.OK);
+
+        return new ResponseEntity<>(userWithoutPassword(user), HttpStatus.OK);
     }
 
-    @PostMapping("/user") //todo check role
-    public ResponseEntity<String> postUser(@RequestBody User user){
+    @PostMapping("/user")
+    public ResponseEntity<String> postUser(@RequestBody User user,@RequestHeader("Authorization") String authorization){
+
+        if (authorization == null) return new UnauthorizedResponse<>(null);
+        User poster = authServ.getUserFromToken(authorization);
+
+        if (poster.getRole() != Role.Secretary || poster.getRole() != Role.Admin)
+            return new UnauthorizedResponse<>(null);
+
+
         userService.save(user);
         return new ResponseEntity<>(String.format("Account created with ID:%s",user.getRegNo()),HttpStatus.CREATED);
     }
 
     @GetMapping("/users")
-    public Iterable<User> getAllUsers(){
-        return userService.getAll();
+    public ResponseEntity<Iterable<Object[]>> getAllUsers(@RequestHeader("Authorization") String authorization){
+
+        if (authorization == null) return new UnauthorizedResponse<>(null);
+        User poster = authServ.getUserFromToken(authorization);
+
+        if (poster == null) return new UnauthorizedResponse<>(null);
+
+        if (poster.getRole() != Role.Secretary || poster.getRole() != Role.Admin)
+            return new UnauthorizedResponse<>(null);
+
+        Iterable<User> users = userService.getAll();
+        ArrayList<Object[]> withoutPassword = new ArrayList<>();
+
+        for (User u :users){
+            withoutPassword.add(userWithoutPassword(u));
+        }
+        return new ResponseEntity<>(withoutPassword, HttpStatus.OK);
     }
 
 
+
+    /** return user's data except password
+     * @param user the user to return
+     * @return all the user data without the password
+     */
+    private Object[] userWithoutPassword(User user){
+        return new Object[] {user.getRegNo(),user.getFirstName(),user.getLastName(),user.getBirthDate(),user.getCountry(),user.getAddress(),user.getRole()};
+    }
 }