diff --git a/attract/__init__.py b/attract/__init__.py
index 7211e9e..85b1029 100644
--- a/attract/__init__.py
+++ b/attract/__init__.py
@@ -170,9 +170,16 @@ class AttractExtension(PillarExtension):
         if not self.is_attract_project(project):
             return ''
 
+        if not self.auth.current_user_may(auth.Actions.VIEW):
+            return ''
+
         return flask.render_template('attract/sidebar.html',
                                      project=project)
 
+    @property
+    def has_project_settings(self) -> bool:
+        return self.auth.current_user_is_attract_user()
+
     def project_settings(self, project: pillarsdk.Project, **template_args: dict) -> flask.Response:
         """Renders the project settings page for this extension.
 
diff --git a/attract/routes.py b/attract/routes.py
index 346fc94..9c2233c 100644
--- a/attract/routes.py
+++ b/attract/routes.py
@@ -171,6 +171,9 @@ def project_settings(project: pillarsdk.Project, **template_args: dict):
 
     from . import EXTENSION_NAME
 
+    if not current_attract.auth.current_user_is_attract_user():
+        raise wz_exceptions.Forbidden()
+
     # Based on the project state, we can render a different template.
     if not current_attract.is_attract_project(project):
         return render_template('attract/project_settings/offer_setup.html',