diff --git a/devops-service/db/mongo/models/user.rb b/devops-service/db/mongo/models/user.rb
index 7b3e835..6adb27d 100644
--- a/devops-service/db/mongo/models/user.rb
+++ b/devops-service/db/mongo/models/user.rb
@@ -10,7 +10,7 @@ class User < MongoModel
   ROOT_PASSWORD = ''
 
   PRIVILEGES = ["r", "w", "x"]
-  PRIVILEGES_REGEX = /x?y?z?/
+  PRIVILEGES_REGEX = /r?w?x?/
 
   attr_accessor :id, :password, :privileges, :email
   types :id => {:type => String, :empty => false},
@@ -33,7 +33,7 @@ class User < MongoModel
   end
 
   def grant cmd, priv=''
-    if !priv.empty? and PRIVILEGES_REGEX.match(priv).empty?
+    if !priv.empty? and PRIVILEGES_REGEX.match(priv).to_s.empty?
       raise InvalidCommand.new "Invalid privileges '#{priv}'. Available values are '#{PRIVILEGES.join("', '")}'"
     end
     raise InvalidCommand.new "Can't grant privileges to root" if self.id == ROOT_USER_NAME
@@ -76,6 +76,7 @@ class User < MongoModel
     return p.include?(priv)
   end
 
+=begin
   def check_privilege_read cmd
     check_privilege_r_w cmd, "r"
   end
@@ -89,6 +90,7 @@ class User < MongoModel
     return false if p.nil?
     return p == flag || p == 'rw'
   end
+=end
 
   def self.create_root
     root = User.new({'username' => ROOT_USER_NAME, 'password' => ROOT_PASSWORD})
diff --git a/devops-service/db/mongo/mongo_connector.rb b/devops-service/db/mongo/mongo_connector.rb
index ffd56c1..2ee1794 100644
--- a/devops-service/db/mongo/mongo_connector.rb
+++ b/devops-service/db/mongo/mongo_connector.rb
@@ -323,10 +323,8 @@ class MongoConnector
   def check_user_privileges id, cmd, priv
     user = self.user(id)
     case priv
-    when "r"
-      raise InvalidPrivileges.new("Access denied for '#{user.id}'") unless user.check_privilege_read cmd
-    when "w"
-      raise InvalidPrivileges.new("Access denied for '#{user.id}'") unless user.check_privilege_write cmd
+    when "r", "w", "x"
+      raise InvalidPrivileges.new("Access denied for '#{user.id}'") unless user.check_privilege cmd, priv
     else
       raise InvalidPrivileges.new("Access internal problem with privilege '#{priv}'")
     end
diff --git a/devops-service/routes/v2.0/base_routes.rb b/devops-service/routes/v2.0/base_routes.rb
index ec63d3a..ebb74d1 100644
--- a/devops-service/routes/v2.0/base_routes.rb
+++ b/devops-service/routes/v2.0/base_routes.rb
@@ -27,10 +27,7 @@ module Version2_0
         halt(rstatus, json(obj))
       end
 
-      def check_privileges cmd, p=nil
-        if p != "r" and p != "w"
-          p = request.get? ? "r" : "w"
-        end
+      def check_privileges cmd, p
         BaseRoutes.mongo.check_user_privileges(request.env['REMOTE_USER'], cmd, p)
       end
 
diff --git a/devops-service/routes/v2.0/image.rb b/devops-service/routes/v2.0/image.rb
index 23a8467..c5bbe6e 100644
--- a/devops-service/routes/v2.0/image.rb
+++ b/devops-service/routes/v2.0/image.rb
@@ -12,15 +12,6 @@ module Version2_0
       puts "Image routes initialized"
     end
 
-    before "/image/:image_id" do
-      if request.get? or request.delete?
-        check_headers :accept
-      else
-        check_headers
-      end
-      check_privileges("image")
-    end
-
     after %r{\A/image(/[\w]+)?\z} do
       statistic
     end
@@ -99,6 +90,8 @@ module Version2_0
     #     "id": "36dc7618-4178-4e29-be43-286fbfe90f50"
     #   }
     get "/image/:image_id" do
+      check_headers :accept
+      check_privileges("image", "r")
       json BaseRoutes.mongo.image(params[:image_id])
     end
 
@@ -147,6 +140,8 @@ module Version2_0
     # * *Returns* :
     #   200 - Updated
     put "/image/:image_id" do
+      check_headers
+      check_privileges("image", "w")
       BaseRoutes.mongo.image params[:image_id]
       image = Image.new(create_object_from_json_body)
       image.id = params[:image_id]
@@ -164,6 +159,8 @@ module Version2_0
     # * *Returns* :
     #   200 - Deleted
     delete "/image/:image_id" do
+      check_headers
+      check_privileges("image", "w")
       projects = BaseRoutes.mongo.projects_by_image params[:image_id]
       unless projects.empty?
         ar = []
diff --git a/devops-service/routes/v2.0/project.rb b/devops-service/routes/v2.0/project.rb
index 170acd4..ce32a8f 100644
--- a/devops-service/routes/v2.0/project.rb
+++ b/devops-service/routes/v2.0/project.rb
@@ -18,15 +18,6 @@ module Version2_0
       puts "Project routes initialized"
     end
 
-    before "/project/:id" do
-      if request.get?
-        check_headers :accept
-      else
-        check_headers :accept, :content_type
-      end
-      check_privileges("project")
-    end
-
     before "/project/:id/user" do
       check_headers :accept, :content_type
       check_privileges("project", "w")
@@ -95,6 +86,8 @@ module Version2_0
     #     "name": "project_1"
     #   }
     get "/project/:project" do
+      check_headers :accept
+      check_privileges("project", "r")
       json BaseRoutes.mongo.project(params[:project])
     end
 
@@ -226,6 +219,8 @@ module Version2_0
     #   200 - Updated
     # TODO: multi project
     put "/project/:id" do
+      check_headers
+      check_privileges("project", "w")
       project = Project.new(create_object_from_json_body)
       project.id = params[:id]
       old_project = BaseRoutes.mongo.project params[:id]
@@ -331,6 +326,8 @@ module Version2_0
     # * *Returns* :
     #   200 - Deleted
     delete "/project/:id" do
+      check_headers :accept, :content_type
+      check_privileges("project", "w")
       servers = BaseRoutes.mongo.servers params[:id]
       raise DependencyError.new "Deleting #{params[:id]} is forbidden: Project has servers" if !servers.empty?
       body = create_object_from_json_body(Hash, true)