diff --git a/src/main/kotlin/uk/co/neviyn/booru/Entity.kt b/src/main/kotlin/uk/co/neviyn/booru/Entity.kt
index d80f443..08d5b73 100644
--- a/src/main/kotlin/uk/co/neviyn/booru/Entity.kt
+++ b/src/main/kotlin/uk/co/neviyn/booru/Entity.kt
@@ -3,6 +3,7 @@ package uk.co.neviyn.booru
 import com.fasterxml.jackson.annotation.JsonIgnore
 import javax.persistence.Column
 import javax.persistence.Entity
+import javax.persistence.FetchType
 import javax.persistence.Id
 import javax.persistence.JoinColumn
 import javax.persistence.JoinTable
@@ -20,7 +21,7 @@ open class User(
     @JsonIgnore
     open var enabled: Boolean = true,
     @JsonIgnore
-    @ManyToMany
+    @ManyToMany(fetch = FetchType.EAGER)
     @JoinTable(
         name = "user_roles",
         joinColumns = [JoinColumn(name = "user_id", referencedColumnName = "id")],
diff --git a/src/main/kotlin/uk/co/neviyn/booru/Security.kt b/src/main/kotlin/uk/co/neviyn/booru/Security.kt
index e20f73f..d334fe4 100644
--- a/src/main/kotlin/uk/co/neviyn/booru/Security.kt
+++ b/src/main/kotlin/uk/co/neviyn/booru/Security.kt
@@ -21,7 +21,7 @@ class SecurityConfig
     val userDetailsService: CustomUserDetailsService
 ) : WebSecurityConfigurerAdapter() {
     override fun configure(http: HttpSecurity) {
-        http.authorizeRequests().antMatchers("/upload").authenticated()
+        http.authorizeRequests().antMatchers("/upload").hasAuthority("USER")
             .anyRequest().permitAll().and()
             .formLogin().loginPage("/login").permitAll().and()
             .logout().logoutSuccessUrl("/").permitAll().and()
@@ -33,7 +33,7 @@ class SecurityConfig
     }
 }
 
-class CustomUserDetails
+open class CustomUserDetails
 constructor(
     private val user: User
 ) : UserDetails {
@@ -50,7 +50,6 @@ constructor(
     override fun isCredentialsNonExpired(): Boolean = true
 
     override fun isEnabled(): Boolean = user.enabled
-
 }
 
 @Service