diff --git a/interface/patient_file/letter.php b/interface/patient_file/letter.php
index f3c4cd232..6277b411e 100644
--- a/interface/patient_file/letter.php
+++ b/interface/patient_file/letter.php
@@ -274,27 +274,32 @@
     }
 }
 else if ($_POST['formaction'] == "savetemplate" && $_POST['form_template'] != "") {
-    // attempt to save the template
-    $fh = fopen("$template_dir/".$_POST['form_template'], 'w');
-    // translate from definition to the constant
-    $temp_bodytext = $_POST['form_body'];
-    foreach ($FIELD_TAG as $key => $value) {
-        $temp_bodytext = str_replace("{".$value."}", "{".$key."}", $temp_bodytext);
-    }
-    if (! fwrite($fh, $temp_bodytext)) {
-        echo xl('Error while writing to file','','',' ') . $template_dir."/".$_POST['form_template'];
-        die;
+    // authenticate
+    $userAuthorized = $_SESSION['userauthorized'];
+    if ($userAuthorized) {
+        // attempt to save the template
+        $fh = fopen("$template_dir/".$_POST['form_template'], 'w');
+        // translate from definition to the constant
+        $temp_bodytext = $_POST['form_body'];
+        foreach ($FIELD_TAG as $key => $value) {
+            $temp_bodytext = str_replace("{".$value."}", "{".$key."}", $temp_bodytext);
+        }
+        if (! fwrite($fh, $temp_bodytext)) {
+            echo xl('Error while writing to file','','',' ') . $template_dir."/".$_POST['form_template'];
+            die;
+        }
+        fclose($fh);
+
+        // read the saved file back
+        $fh = fopen("$template_dir/".$_POST['form_template'], 'r');
+        while (!feof($fh)) $bodytext.= fread($fh, 8192);
+        fclose($fh);
+        // translate from constant to the definition
+        foreach ($FIELD_TAG as $key => $value) {
+            $bodytext = str_replace("{".$key."}", "{".$value."}", $bodytext);
+        }
     }
-    fclose($fh);
 
-    // read the saved file back
-    $fh = fopen("$template_dir/".$_POST['form_template'], 'r');
-    while (!feof($fh)) $bodytext.= fread($fh, 8192);
-    fclose($fh);
-    // translate from constant to the definition
-    foreach ($FIELD_TAG as $key => $value) {
-        $bodytext = str_replace("{".$key."}", "{".$value."}", $bodytext);
-    }
 }
 
 // This is the case where we display the form for data entry.
diff --git a/patient_portal/import_template.php b/patient_portal/import_template.php
index 8dace706c..ef0d2888d 100644
--- a/patient_portal/import_template.php
+++ b/patient_portal/import_template.php
@@ -27,9 +27,17 @@
     file_put_contents($_POST['docid'], $_POST['content']);
     exit(true);
 } else if ($_POST['mode'] == 'delete') {
-    unlink($_POST['docid']);
-    exit(true);
+
+    // authenticate
+    $userAuthorized = $_SESSION['userauthorized'];
+    if ($userAuthorized) {
+        //allow 
+        unlink($_POST['docid']);
+        exit(true);
+    }
+
 }
+
 // so it is an import
 if(!isset($_POST['up_dir'])){