diff --git a/edivorce/apps/core/urls.py b/edivorce/apps/core/urls.py
index 8a2b42b8..5d4f19ae 100644
--- a/edivorce/apps/core/urls.py
+++ b/edivorce/apps/core/urls.py
@@ -8,7 +8,7 @@ urlpatterns = [
     url(r'^api/response$', api.UserResponseHandler.as_view()),
     url(r'^api/documents/$', api.DocumentCreateView.as_view(), name='documents'),
     # path('api/documents/<doc_type>/<int:party_code>/', api.DocumentMetaDataView.as_view(), name='documents-meta'),
-    path('api/documents/<doc_type>/<int:party_code>/<int:size>/<filename>', api.DocumentView.as_view(), name='document'),
+    path('api/documents/<doc_type>/<int:party_code>/<filename>/<int:size>/', api.DocumentView.as_view(), name='document'),
     path('api/documents/<file_key>/', api.get_document_file_by_key, name='document_by_key'),
 
     # url(r'^login/headers$', system.headers),
diff --git a/edivorce/apps/core/views/api.py b/edivorce/apps/core/views/api.py
index 528e1598..4c46b077 100644
--- a/edivorce/apps/core/views/api.py
+++ b/edivorce/apps/core/views/api.py
@@ -72,18 +72,12 @@ class DocumentCreateView(CreateAPIView):
 
 class DocumentView(RetrieveUpdateDestroyAPIView):
     serializer_class = DocumentMetadataSerializer
-    # permission_classes = [permissions.IsAuthenticated]
+    permission_classes = [permissions.IsAuthenticated]
 
     def get_object(self):
         return Document.objects.get(bceid_user=self.request.user, **self.kwargs)
 
     def retrieve(self, request, *args, **kwargs):
-        if not self.request.user.is_authenticated:
-            s = 'Anonymous'
-            if hasattr(self.request.user, 'sm_user'):
-                s = self.request.user.sm_user
-            return Response(data="Your are not authenticated (" + s + ")", status=status.HTTP_403_FORBIDDEN)
-
         """ Return the file instead of meta data """
         document = self.get_object()
         content_type = Document.content_type_from_filename(document.filename)