Checklist

• I have verified that that issue exists against themaster branch of Django REST framework.
• I have searched for similar issues in both open and closed tickets and cannot find a duplicate.
• This is not a usage question. (Those should be directed to thediscussion group instead.)
• This cannot be dealt with as a third party library. (We prefer new functionality to bein the form of third party libraries where possible.)
• I have reduced the issue to the simplest possible case.
• I have included a failing test as a pull request. (If you are unable to do so we can still accept the issue.)

Steps to reproduce

• Set up an example project based on DRF tutorial. SetDEFAULT_PERMISSION_CLASSES torest_framework.permissions.IsAdminUser.
• Add the following tourls.py:

from rest_framework.documentation import include_docs_urlsurl(r'^docs/', include_docs_urls(title='API Title', description='API description'))

• Now start your server and accesslocalhost:8000/docs as an unauthenticated user; you get anAttributeError instead of 403.

Expected behavior

Users should not be able to access docs for restricted views and should see a 403.

Actual behavior

The template (document.html) doesn't check if user is authenticated or not (for restricted views) and tries to render a non-existing document object.