diff --git a/app/controllers/dmails_controller.rb b/app/controllers/dmails_controller.rb
index f6acf1c1b..de6619fc7 100644
--- a/app/controllers/dmails_controller.rb
+++ b/app/controllers/dmails_controller.rb
@@ -5,7 +5,9 @@ class DmailsController < ApplicationController
 
   def new
     if params[:respond_to_id]
-      @dmail = Dmail.find(params[:respond_to_id]).build_response(:forward => params[:forward])
+      parent = Dmail.find(params[:respond_to_id])
+      check_privilege(parent)
+      @dmail = parent.build_response(:forward => params[:forward])
     else
       @dmail = Dmail.new(params[:dmail])
     end
@@ -58,6 +60,7 @@ class DmailsController < ApplicationController
   end
 
 private
+
   def check_privilege(dmail)
     if !dmail.visible_to?(CurrentUser.user, params[:key])
       raise User::PrivilegeError
diff --git a/test/functional/dmails_controller_test.rb b/test/functional/dmails_controller_test.rb
index 90b761e98..a89f1764c 100644
--- a/test/functional/dmails_controller_test.rb
+++ b/test/functional/dmails_controller_test.rb
@@ -22,6 +22,12 @@ class DmailsControllerTest < ActionController::TestCase
       end
 
       context "with a respond_to_id" do
+        should "check privileges" do
+          @user2 = FactoryGirl.create(:user)
+          get :new, {:respond_to_id => @dmail}, {:user_id => @user2.id}
+          assert_response 403
+        end
+
         should "prefill the fields" do
           get :new, {:respond_to_id => @dmail}, {:user_id => @user.id}
           assert_response :success