fixes #1275

app/controllers/user_name_change_requests_controller.rb

@@ -1,6 +1,7 @@
 class UserNameChangeRequestsController < ApplicationController
   before_filter :privileged_only, :only => [:new, :create, :show]
   before_filter :admin_only, :only => [:index, :approve, :reject, :destroy]
+  rescue_from User::PrivilegeError, :with => :access_denied
 
   def new
   end
@@ -23,6 +24,7 @@ class UserNameChangeRequestsController < ApplicationController
   
   def show
     @change_request = UserNameChangeRequest.find(params[:id])
+    check_privileges!(@change_request)
   end
   
   def index
@@ -46,4 +48,10 @@ class UserNameChangeRequestsController < ApplicationController
     @change_request.reject!(params[:reason])
     redirect_to user_name_change_request_path(@change_request), :notice => "Name change request rejected"
   end
+
+private
+  def check_privileges!(change_request)
+    return if CurrentUser.is_janitor?
+    raise User::PrivilegeError if change_request.user_id != CurrentUser.user.id
+  end
 end

test/functional/user_name_change_requests_controller_test.rb

@@ -27,6 +27,17 @@ class UserNameChangeRequestsControllerTest < ActionController::TestCase
         get :show, {:id => @change_request.id}, {:user_id => @user.id}
         assert_response :success
       end
+
+      context "when the current user is not an admin and does not own the request" do
+        setup do
+          CurrentUser.user = FactoryGirl.create(:user)
+        end
+
+        should "fail" do
+          get :show, {:id => @change_request.id}
+          assert_redirected_to(new_session_path(:url => user_name_change_request_path(@change_request)))
+        end
+      end
     end
     
     context "for actions restricted to admins" do