diff --git a/smash/web/templates/login.html b/smash/web/templates/login.html
index 1cdc90f5f1873ce649bce6ae8e710345fdb4838a..86b7238f0d148e5aa3ec9416c1a945840e9f0a5c 100644
--- a/smash/web/templates/login.html
+++ b/smash/web/templates/login.html
@@ -75,6 +75,9 @@
 
     <form action="{% url 'web.views.login' %}" method="post">
 	  {% csrf_token %}
+    {% if next %}
+      <input type="hidden" name="next" value="{{ next }}" />
+    {% endif %}
 
       <div class="form-group has-feedback">
         <input type="text" name="username" class="form-control" placeholder="Login">
diff --git a/smash/web/views.py b/smash/web/views.py
index 61708d9757432c29dbf4b571a1147a8bb0c739c0..ba5eeae2301ec2f1224f824ae58c1f4189d4ab9e 100644
--- a/smash/web/views.py
+++ b/smash/web/views.py
@@ -54,13 +54,18 @@ def login(request):
 	if request.GET and request.GET.get('error'):
 		context['state'] = request.GET.get('error')
 
+	if request.method == "GET" and request.GET:
+		context['next'] = request.GET.get('next')
+
 	if request.method == "POST" and request.POST:
 		state, message = do_login(request)
 		if state == True:
-			return redirect(appointments)
+			if request.POST.get('next'):
+				return redirect(request.POST.get('next'))
+			else:
+				return redirect(appointments)
 		else:
 			return redirect('/login?error=' + message)
-
 	return render(request, "login.html", context)
 
 class NotificationCount(object):
@@ -84,6 +89,9 @@ def get_filter_locations(user):
 			worker = workers[0]
 	elif isinstance(user, Worker):
 		worker = user
+	elif isinstance(user, AnonymousUser):
+		# anonymous user shouldn't see anything
+		return Location.objects.filter(id=-1)
 	elif user!=None:
 		raise TypeError("Unknown class type: "+user.__class__.__name__)
 
@@ -664,6 +672,8 @@ def appointment_edit_datetime(request, id):
 		form = AppointmentEditForm(instance=the_appointment)
 	return wrap_response(request, 'appointments/edit.html', {'form': form})
 
+#because we don't  wrap_response we must force login required
+@login_required
 def export_to_csv2(request, type="subjects"):
     #Create the HttpResponse object with the appropriate CSV header.
 	response = HttpResponse(content_type='text/csv')