diff --git a/src/api/controllers/state/add.state.js b/src/api/controllers/state/add.state.js
index a51af4d..3734880 100644
--- a/src/api/controllers/state/add.state.js
+++ b/src/api/controllers/state/add.state.js
@@ -1,8 +1,9 @@
-const isAdmin = require('../../middlewares/isAdmin')
+const isRespo = require('../../middlewares/isRespo')
 const errorHandler = require('../../utils/errorHandler')
 const isAuth = require('../../middlewares/isAuth')
 const { check } = require('express-validator/check')
 const validateBody = require('../../middlewares/validateBody')
+const log = require('../../utils/log')(module)
 
 /**
  * GET /users
@@ -13,8 +14,9 @@ const validateBody = require('../../middlewares/validateBody')
  * ]
  */
 module.exports = app => {
-  app.post('/states', [isAuth(), isAdmin()])
-  app.post('/states', [
+  app.post('/states/:id', [isAuth(), isRespo()])
+
+  app.post('/states/:id', [
     check('title')
       .exists()
       .matches(/^[A-zÀ-ÿ0-9 '#@!&\-$%]{3,}$/i),
@@ -22,27 +24,32 @@ module.exports = app => {
       .exists()
       .matches(/^[A-zÀ-ÿ0-9 '#@!&\-$%]{3,}$/i),
     check('popover')
-      .exists()
       .matches(/^[A-zÀ-ÿ0-9 '#@!&\-$%]{3,}$/i),
-    check('spotlightId')
-      .exists()
-      .matches(/\d/),
     validateBody()
   ])
-  app.post('/states', async (req, res) => {
+
+  app.post('/states/:id', async (req, res) => {
     const { State, Spotlight } = req.app.locals.models
 
     try {
-      const { title, desc, popover, spotlightId } = req.body
+      const spotlightId = req.params.id
+      const { title, desc, popover } = req.body
+
       let spotlight = await Spotlight.findById(spotlightId)
-      if(!spotlight) return res.status(404).json({ error: 'NOT_FOUND' }).end()
+      if(!spotlight) {
+        return res
+          .status(404)
+          .json({ error: 'NOT_FOUND' })
+          .end()
+      }
+
       let state = await State.create({
         title,
         desc,
-        popover
+        popover: popover || ''
       })
+
       await spotlight.addState(state)
-      await state.save()
       await spotlight.save()
       
       return res
diff --git a/src/api/controllers/state/set.spotlight.state.js b/src/api/controllers/state/set.spotlight.state.js
index 676242f..a672b1c 100644
--- a/src/api/controllers/state/set.spotlight.state.js
+++ b/src/api/controllers/state/set.spotlight.state.js
@@ -5,7 +5,7 @@ const { check } = require('express-validator/check')
 const validateBody = require('../../middlewares/validateBody')
 
 /**
- * GET /users
+ * PUT /states/:id
  *
  * Response:
  * [
@@ -13,27 +13,33 @@ const validateBody = require('../../middlewares/validateBody')
  * ]
  */
 module.exports = app => {
-  app.put('/spotlights/:id/state', [isAuth(), isRespo()])
-  app.put('/spotlights/:id/state', [
+  app.put('/states/:id', [isAuth(), isRespo()])
+  app.put('/states/:id', [
     check('value')
       .exists()
       .matches(/\d/),
     validateBody()
   ])
-  app.put('/spotlights/:id/state', async (req, res) => {
+  app.put('/states/:id', async (req, res) => {
     const { Spotlight } = req.app.locals.models
 
     try {
       const { value } = req.body
-      const { id } = req.params
-      let spotlight = await Spotlight.findById(id)
-      if(!spotlight) return res.status(404).json({ error: 'NOT_FOUND' })
+      const spotlightId = req.params.id
+      
+      let spotlight = await Spotlight.findById(spotlightId)
+      if(!spotlight) {
+        return res
+          .status(404)
+          .json({ error: 'NOT_FOUND' })
+          .end()
+      }
+      
       spotlight.state = value
       await spotlight.save()
       
       return res
         .status(200)
-        .json(spotlight)
         .end()
     } catch (err) {
       errorHandler(err, res)
diff --git a/src/api/controllers/user/user.infos.js b/src/api/controllers/user/user.infos.js
index a0c0ec7..08572f9 100644
--- a/src/api/controllers/user/user.infos.js
+++ b/src/api/controllers/user/user.infos.js
@@ -65,7 +65,8 @@ module.exports = app => {
       if(permission) {
         permissionData = {
           admin: permission.admin,
-          respo: permission.respo
+          respo: permission.respo,
+          permission: permission.permission
         }
       }
       else {
diff --git a/src/api/middlewares/hasPermission.js b/src/api/middlewares/hasPermission.js
new file mode 100644
index 0000000..83f97fc
--- /dev/null
+++ b/src/api/middlewares/hasPermission.js
@@ -0,0 +1,28 @@
+const jwt = require('jsonwebtoken')
+const { promisify } = require('util')
+const log = require('../utils/log')(module)
+
+jwt.verify = promisify(jwt.verify)
+
+module.exports = route => async (req, res, next) => {
+  let authorized = false
+
+  if(req.user && req.user.permission) {
+    if(req.user.permission.admin) {
+      authorized = true
+    }
+    else if(req.user.permission.respo && req.user.permission.respo.includes(req.params.id)) {
+      authorized = true
+    }
+  }
+  
+  if(authorized) {
+    next()
+  }
+  else {
+    return res
+      .status(401)
+      .json({ error: 'UNAUTHORIZED' })
+      .end()
+  }
+}