diff --git a/rhodecode/authentication/views.py b/rhodecode/authentication/views.py
--- a/rhodecode/authentication/views.py
+++ b/rhodecode/authentication/views.py
@@ -44,7 +44,10 @@ class AuthnPluginViewBase(object):
         self.request = request
         self.context = context
         self.plugin = context.plugin
+        self._rhodecode_user = request.user
 
+    @LoginRequired()
+    @HasPermissionAllDecorator('hg.admin')
     def settings_get(self, defaults=None, errors=None):
         """
         View that displays the plugin settings as a form.
@@ -67,6 +70,9 @@ class AuthnPluginViewBase(object):
 
         return template_context
 
+    @LoginRequired()
+    @HasPermissionAllDecorator('hg.admin')
+    @auth.CSRFRequired()
     def settings_post(self):
         """
         View that validates and stores the plugin settings.
diff --git a/rhodecode/login/views.py b/rhodecode/login/views.py
--- a/rhodecode/login/views.py
+++ b/rhodecode/login/views.py
@@ -208,6 +208,8 @@ class LoginView(object):
         })
         return render_ctx
 
+    @HasPermissionAnyDecorator(
+        'hg.admin', 'hg.register.auto_activate', 'hg.register.manual_activate')
     @view_config(
         route_name='register', request_method='POST',
         renderer='rhodecode:templates/register.html')