From 15b9c0c56f52d6631dc6fd716641e2bf8c7b9f62 Mon Sep 17 00:00:00 2001
From: Roberto Rosario <roberto.rosario.gonzalez@gmail.com>
Date: Tue, 9 Oct 2018 19:10:35 -0400
Subject: [PATCH] Only render the Template API view for authenticated users.
 Thanks rgarcia for the report.

Signed-off-by: Roberto Rosario <roberto.rosario.gonzalez@gmail.com>
---
 HISTORY.rst                         |  2 ++
 mayan/apps/common/api_views.py      |  2 ++
 mayan/apps/common/tests/test_api.py | 15 ++++++++++++++-
 3 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/HISTORY.rst b/HISTORY.rst
index 67362baa80..9ccad949b1 100644
--- a/HISTORY.rst
+++ b/HISTORY.rst
@@ -7,6 +7,8 @@
   instead of the literal keys. Avoid warning about invalid key 
   characters. Closes GitLab issue #518. Thanks to TheOneValen @ for the
   report.
+* Only render the Template API view for authenticated users.
+  Thanks rgarcia for the report.
 
 3.1.5 (2018-10-08)
 ==================
diff --git a/mayan/apps/common/api_views.py b/mayan/apps/common/api_views.py
index 082356dd82..b29144c789 100644
--- a/mayan/apps/common/api_views.py
+++ b/mayan/apps/common/api_views.py
@@ -3,6 +3,7 @@ from __future__ import unicode_literals
 from django.contrib.contenttypes.models import ContentType
 
 from rest_framework import generics
+from rest_framework.permissions import IsAuthenticated
 
 from .classes import Template
 from .serializers import ContentTypeSerializer, TemplateSerializer
@@ -22,6 +23,7 @@ class APITemplateView(generics.RetrieveAPIView):
     get: Retrieve the details of the partial template.
     """
     serializer_class = TemplateSerializer
+    permission_classes = (IsAuthenticated,)
 
     def get_object(self):
         return Template.get(self.kwargs['name']).render(request=self.request)
diff --git a/mayan/apps/common/tests/test_api.py b/mayan/apps/common/tests/test_api.py
index e6bb91f5c6..e254fb0bd9 100644
--- a/mayan/apps/common/tests/test_api.py
+++ b/mayan/apps/common/tests/test_api.py
@@ -7,6 +7,8 @@ from rest_api.tests import BaseAPITestCase
 
 from ..classes import Template
 
+TEST_TEMPLATE_RESULT = '<div'
+
 
 class CommonAPITestCase(BaseAPITestCase):
     def test_content_type_list_view(self):
@@ -15,6 +17,17 @@ class CommonAPITestCase(BaseAPITestCase):
 
     @override_settings(LANGUAGE_CODE='de')
     def test_template_detail_view(self):
+        self.login_user()
         template_main_menu = Template.get(name='main_menu')
         response = self.client.get(template_main_menu.get_absolute_url())
-        self.assertEqual(response.status_code, 200)
+
+        self.assertContains(
+            response=response, text=TEST_TEMPLATE_RESULT, status_code=200
+        )
+
+    def test_template_detail_anonymous_view(self):
+        template_main_menu = Template.get(name='main_menu')
+        response = self.client.get(template_main_menu.get_absolute_url())
+        self.assertNotContains(
+            response=response, text=TEST_TEMPLATE_RESULT, status_code=403
+        )