diff --git a/app/controllers/dois_controller.rb b/app/controllers/dois_controller.rb
index c12eb9762..ad1925445 100644
--- a/app/controllers/dois_controller.rb
+++ b/app/controllers/dois_controller.rb
@@ -291,6 +291,7 @@ def validate
   def create
     logger = Logger.new(STDOUT)
     # logger.info safe_params.inspect
+    fail CanCan::AuthorizationNotPerformed unless current_user.present?
 
     @doi = Doi.new(safe_params)
 
diff --git a/spec/requests/dois_spec.rb b/spec/requests/dois_spec.rb
index fbe290aff..bb5dcd927 100644
--- a/spec/requests/dois_spec.rb
+++ b/spec/requests/dois_spec.rb
@@ -966,6 +966,30 @@
       end
     end
 
+    context 'when the request is valid no password' do
+      let(:xml) { Base64.strict_encode64(file_fixture('datacite.xml').read) }
+      let(:valid_attributes) do
+        {
+          "data" => {
+            "type" => "dois",
+            "attributes" => {
+              "doi" => "10.14454/10703",
+              "url" => "http://www.bl.uk/pdf/patspec.pdf",
+              "xml" => xml,
+              "source" => "test",
+              "event" => "publish"
+            }
+          }
+        }
+      end
+
+      it 'fails to create a Doi' do
+        post '/dois', valid_attributes
+
+        expect(last_response.status).to eq(401)
+      end
+    end
+
     context 'when the request is valid random doi' do
       let(:xml) { Base64.strict_encode64(file_fixture('datacite.xml').read) }
       let(:valid_attributes) do