diff --git a/rest.js b/rest.js
index 875fced..db15535 100644
--- a/rest.js
+++ b/rest.js
@@ -51,11 +51,12 @@ module.exports.create = function (bigconf, deps, app) {
   app.use(   '/exchange_token',                 attachSiteModels);
   app.post(  '/exchange_token',                 Accounts.restful.createToken.exchangeToken);
 
-  app.use(   '/acl/profile',                    attachSiteModels);
+  // TODO secure ACL endpoints with proper grants
+  app.use(   '/acl/profile',                    attachSiteModels, /*app.grantsRequired(['profile@oauth3.org'])*/);
   app.get(   '/acl/profile',                    Accounts.restful.getProfile);
   app.post(  '/acl/profile',                    Accounts.restful.setProfile);
 
-  app.use(   '/acl/contact_nodes',              attachSiteModels);
+  app.use(   '/acl/contact_nodes',              attachSiteModels, /*app.grantsRequired(['profile@oauth3.org'])*/);
   app.post(  '/acl/contact_nodes',              Accounts.restful.claimContact);
   app.post(  '/acl/contact_nodes/:id',          Accounts.restful.verifyContact);