Create a non-admin user (e.g. viewer role only), create new host, and as the viewer user log on and try to view a template.

2015-06-03 14:35:41 [I] Started GET "/unattended/iPXE?hostname=bdsktest.local.lan" for 127.0.0.1 at 2015-06-03 14:35:41 +0200
2015-06-03 14:35:41 [I] Processing by UnattendedController#iPXE as HTML
...
app/controllers/application_controller.rb:224:in `block (2 levels) in render_403'
app/controllers/application_controller.rb:223:in `render_403'
app/controllers/application_controller.rb:63:in `deny_access'
app/controllers/application_controller.rb:55:in `authorize'
app/controllers/unattended_controller.rb:20:in `block (2 levels) in <class:UnattendedController>'
app/models/concerns/foreman/thread_session.rb:32:in `clear_thread'
lib/middleware/catch_json_parse_errors.rb:9:in `call'

We have two issues basically:

A) Permissions are not checked properly (we obviously use template kinds as actions and we don't have such permissions)
B) Method render_403 does not work from UnattendedController context (layout error).