diff --git a/cms/djangoapps/contentstore/views.py b/cms/djangoapps/contentstore/views.py
index 896030b3c5..33eacd228b 100644
--- a/cms/djangoapps/contentstore/views.py
+++ b/cms/djangoapps/contentstore/views.py
@@ -14,19 +14,7 @@ from github_sync import export_to_github
 from mitxmako.shortcuts import render_to_response
 from xmodule.modulestore.django import modulestore
 
-@login_required
-@ensure_csrf_cookie
-def index(request):
-    courses = modulestore().get_items(['i4x', None, None, 'course', None])
-    return render_to_response('index.html', {
-        'courses': [(course.metadata['display_name'],
-                    reverse('course_index', args=[
-                        course.location.org,
-                        course.location.course,
-                        course.location.name]))
-                    for course in courses]
-    })
-
+# ==== Public views ==================================================
 
 @ensure_csrf_cookie
 def signup(request):
@@ -44,18 +32,47 @@ def login_page(request):
     csrf_token = csrf(request)['csrf_token']
     return render_to_response('login.html', {'csrf': csrf_token }) 
     
+# ==== Views for any logged-in user ==================================
+
+@login_required
+@ensure_csrf_cookie
+def index(request):
+    courses = modulestore().get_items(['i4x', None, None, 'course', None])
+    return render_to_response('index.html', {
+        'courses': [(course.metadata['display_name'],
+                    reverse('course_index', args=[
+                        course.location.org,
+                        course.location.course,
+                        course.location.name]))
+                    for course in courses]
+    })
+
+# ==== Views with per-item permissions================================
+
+def has_access(user, location):
+    '''Return True if user allowed to access this piece of data'''
+    # TODO (vshnayder): actually check perms
+    return user.is_active and user.is_authenticated
 
 @login_required
 @ensure_csrf_cookie
 def course_index(request, org, course, name):
+    location = ['i4x', org, course, 'course', name]
+    if not has_access(request.user, location):
+        raise Http404  # TODO (vshnayder): better error
+    
     # TODO (cpennington): These need to be read in from the active user
-    course = modulestore().get_item(['i4x', org, course, 'course', name])
+    course = modulestore().get_item(location)
     weeks = course.get_children()
     return render_to_response('course_index.html', {'weeks': weeks})
 
 @login_required
 def edit_item(request):
+    # TODO (vshnayder): Why are we using "id" instead of "location"?
     item_id = request.GET['id']
+    if not has_access(request.user, item_id):
+        raise Http404  # TODO (vshnayder): better error
+        
     item = modulestore().get_item(item_id)
     return render_to_response('unit.html', {
         'contents': item.get_html(),
@@ -69,6 +86,9 @@ def edit_item(request):
 @expect_json
 def save_item(request):
     item_id = request.POST['id']
+    if not has_access(request.user, item_id):
+        raise Http404  # TODO (vshnayder): better error
+
     data = json.loads(request.POST['data'])
     modulestore().update_item(item_id, data)