diff --git a/Gemfile.lock b/Gemfile.lock
index d981efe..6ef5a6b 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -221,6 +221,8 @@
     pundit (1.1.0)
       activesupport (>= 3.0.0)
     rack (1.6.4)
+    rack-mini-profiler (0.10.1)
+      rack (>= 1.2.0)
     rack-test (0.6.3)
       rack (>= 1.0)
     rails (4.2.7)
@@ -345,6 +347,7 @@
   omniauth-shibboleth
   protected_attributes
   pundit
+  rack-mini-profiler
   rack-test
   rails (= 4.2.7)
   railties
diff --git a/app/controllers/organisations_controller.rb b/app/controllers/organisations_controller.rb
index 816fe11..413328f 100644
--- a/app/controllers/organisations_controller.rb
+++ b/app/controllers/organisations_controller.rb
@@ -1,4 +1,5 @@
 class OrganisationsController < ApplicationController
+<<<<<<< 38417884f7c8dfce6cb3b255ddd4410f0fba2157
   #after_action :verify_authorized
 
   # GET /organisations
@@ -41,28 +42,30 @@
     end
   end
 
+=======
+  after_action :verify_authorized
+>>>>>>> forced auth on organisations_controller.  TODO: re-check parent, children, and templates after AJAX removed
 
   # GET /organisations/1
-  # GET /organisations/1.json
   def admin_show
     @organisation = Organisation.find(params[:id])
     authorize @organisation
     respond_to do |format|
       format.html # show.html.erb
-      format.json { render json: @organisation }
     end
   end
 
    # GET /organisations/1/edit
   def admin_edit
-    @organisation = authorize Organisation.find(params[:id])
+    @organisation = Organisation.find(params[:id])
+    authorize @organisation
   end
 
 
   # PUT /organisations/1
-  # PUT /organisations/1.json
   def admin_update
-    @organisation = authorize Organisation.find(params[:id])
+    @organisation = Organisation.find(params[:id])
+    authorize @organisation
     @organisation.banner_text = params["org_banner_text"]
     @organisation.logo = params[:organisation][:logo] if params[:organisation][:logo]
     assign_params = params[:organisation].dup
@@ -71,34 +74,24 @@
     respond_to do |format|
       if @organisation.update_attributes(assign_params)
         format.html { redirect_to admin_show_organisation_path(params[:id]), notice: I18n.t("admin.org_updated_message")  }
-        format.json { head :no_content }
       else
         format.html { render action: "edit" }
-        format.json { render json: @organisation.errors, status: :unprocessable_entity }
       end
     end
   end
 
-  # DELETE /organisations/1
-  # DELETE /organisations/1.json
-  def destroy
-    @organisation = Organisation.find(params[:id])
-    @organisation.destroy
-
-    respond_to do |format|
-      format.html { redirect_to organisations_url }
-      format.json { head :no_content }
-    end
-  end
-
+  #TODO: see if this is used by the ajax... otherwise lock it down
   def parent
   	@organisation = Organisation.find(params[:id])
+    authorize @organisation
   	parent_org = @organisation.find_by {|o| o.parent_id }
   	return parent_org
   end
 
+  #TODO: see is this is used by the ajax... otherwise lock it down
 	def children
 		@organisation = Organisation.find(params[:id])
+    authorize @organisation
 		#if user_signed_in? then
 		children = {}
 		@organisation.children.each do |child|
@@ -112,8 +105,10 @@
 # 		end
 	end
 
+  #TODO: see if this is used by the ajax... otherwise lock it down
 	def templates
 		@organisation = Organisation.find(params[:id])
+    authorize @organisation
 		#if user_signed_in? then
 		templates = {}
 		@organisation.dmptemplates.each do |template|
diff --git a/app/policies/organisation_policy.rb b/app/policies/organisation_policy.rb
index 4326458..677912c 100644
--- a/app/policies/organisation_policy.rb
+++ b/app/policies/organisation_policy.rb
@@ -19,4 +19,16 @@
     user.can_modify_org_details? && (user.organisaiton_id == organisation.id)
   end
 
+  def parent?
+    true
+  end
+
+  def children?
+    true
+  end
+
+  def templates?
+    true
+  end
+
 end
\ No newline at end of file