MuckRock · duckduckgrayduck · Apr 14, 2026 · Apr 13, 2026 · Apr 13, 2026 · Apr 13, 2026
diff --git a/documentcloud/organizations/views.py b/documentcloud/organizations/views.py
@@ -2,6 +2,7 @@
 from django.db.models.expressions import F, Value
 from rest_framework import status, viewsets
 from rest_framework.decorators import action
+from rest_framework.permissions import IsAuthenticated
 from rest_framework.response import Response
 
 # Third Party
@@ -24,6 +25,7 @@
 
 class OrganizationViewSet(viewsets.ReadOnlyModelViewSet):
     serializer_class = OrganizationSerializer
+    permission_classes = [IsAuthenticated]
     queryset = Organization.objects.none()
     permission_classes = (DjangoObjectPermissionsOrAnonReadOnly,)
 

diff --git a/documentcloud/users/tests/test_views.py b/documentcloud/users/tests/test_views.py
@@ -123,7 +123,7 @@ def test_retrieve_me_expanded(self, client, user):
     def test_retrieve_me_anonymous(self, client):
         """me endpoint doesn't work for logged out users"""
         response = client.get("/api/users/me/")
-        assert response.status_code == status.HTTP_404_NOT_FOUND
+        assert response.status_code == status.HTTP_403_FORBIDDEN
 
     def test_update(self, client, user):
         """Test setting a users active org"""

diff --git a/documentcloud/users/views.py b/documentcloud/users/views.py
@@ -31,6 +31,7 @@ class UserViewSet(
     viewsets.GenericViewSet,
 ):
     serializer_class = UserSerializer
+    permission_classes = [IsAuthenticated]
     queryset = User.objects.none()
     permit_list_expands = ["organization"]