This is a SharePoint 2013 provider hosted add-in. You will need to update the security to match your environment. Right now it is just running under whatever the permissions are of the user running the add-in (you when you F5, or the IIS app pool id if you deploy it).