diff --git a/back_latienda/permissions.py b/back_latienda/permissions.py
index 0ec3c4f..ccc4bcd 100644
--- a/back_latienda/permissions.py
+++ b/back_latienda/permissions.py
@@ -3,12 +3,12 @@ from rest_framework import permissions
 
 class IsCreator(permissions.BasePermission):
     """
-    Grant permission is request.user same as obj.creator
+    Grant permission if request.user same as obj.creator
     """
 
     def has_object_permission(self, request, view, obj):
         if obj is not None:
-            # allow is authenticated and method is safe
+            # allow if authenticated and method is safe
             if request.method in permissions.SAFE_METHODS:
                 return True
 
@@ -20,6 +20,17 @@ class IsCreator(permissions.BasePermission):
         return False
 
 
+class IsStaff(permissions.BasePermission):
+    """
+    Grant permission if request.user.is_staff is True
+    """
+
+    def has_object_permission(self, request, view, obj):
+        if obj is not None:
+            if request.user.is_staff is True:
+                return True
+        return False
+
 class ReadOnly(permissions.BasePermission):
     def has_permission(self, request, view):
         return request.method in permissions.SAFE_METHODS
diff --git a/history/views.py b/history/views.py
index 75703b4..f86367c 100644
--- a/history/views.py
+++ b/history/views.py
@@ -5,7 +5,10 @@ from rest_framework import viewsets
 from history.models import HistorySync
 from history.serializers import HistorySyncLogSerializer
 
+from back_latienda.permissions import IsStaff
+
 
 class HistorySyncViewSet(viewsets.ModelViewSet):
       queryset = HistorySync.objects.all()
       serializer_class = HistorySyncLogSerializer
+      permission_classes = [IsStaff,]
diff --git a/products/views.py b/products/views.py
index 538750a..ba342cb 100644
--- a/products/views.py
+++ b/products/views.py
@@ -2,10 +2,15 @@ from django.shortcuts import render
 
 # Create your views here.
 from rest_framework import viewsets
+from rest_framework.permissions import IsAuthenticatedOrReadOnly
+
 from products.models import Product
 from products.serializers import ProductSerializer
 
+from back_latienda.permissions import IsCreator
+
 
 class ProductViewSet(viewsets.ModelViewSet):
       queryset = Product.objects.all()
       serializer_class = ProductSerializer
+      permission_classes = [IsAuthenticatedOrReadOnly, IsCreator]
diff --git a/stats/views.py b/stats/views.py
index 37a238c..3560e55 100644
--- a/stats/views.py
+++ b/stats/views.py
@@ -5,7 +5,10 @@ from rest_framework import viewsets
 from stats.models import StatsLog
 from stats.serializers import StatsLogSerializer
 
+from back_latienda.permissions import IsStaff
+
 
 class StatsLogViewSet(viewsets.ModelViewSet):
       queryset = StatsLog.objects.all()
       serializer_class = StatsLogSerializer
+      permission_classes = [IsStaff,]