api/users/{{user}}/messages add check auth

app/controllers/users/messages_controller.rb

@@ -1,6 +1,7 @@
 class Users::MessagesController < Users::BaseController 
   before_action :private_user_resources!
   before_action :find_receivers, only: [:create]
+  before_action :check_auth
 
   def index 
 		limit = params[:limit] || params[:per_page]
@@ -63,6 +64,10 @@ class Users::MessagesController < Users::BaseController
   end
 
   private 
+  def check_auth
+    return render_forbidden unless current_user.admin? || observed_logged_user?
+  end
+
   def message_type 
     @message_type = begin
       case params[:type]