From e4895ffab1211b209254c62173f88daad8f50213 Mon Sep 17 00:00:00 2001
From: r888888888 <r888888888@gmail.com>
Date: Tue, 16 Apr 2013 22:13:14 -0700
Subject: [PATCH] fixes #1275

---
 .../user_name_change_requests_controller.rb           |  8 ++++++++
 .../user_name_change_requests_controller_test.rb      | 11 +++++++++++
 2 files changed, 19 insertions(+)

diff --git a/app/controllers/user_name_change_requests_controller.rb b/app/controllers/user_name_change_requests_controller.rb
index 91de8d900..4d51153c4 100644
--- a/app/controllers/user_name_change_requests_controller.rb
+++ b/app/controllers/user_name_change_requests_controller.rb
@@ -1,6 +1,7 @@
 class UserNameChangeRequestsController < ApplicationController
   before_filter :privileged_only, :only => [:new, :create, :show]
   before_filter :admin_only, :only => [:index, :approve, :reject, :destroy]
+  rescue_from User::PrivilegeError, :with => :access_denied
 
   def new
   end
@@ -23,6 +24,7 @@ class UserNameChangeRequestsController < ApplicationController
   
   def show
     @change_request = UserNameChangeRequest.find(params[:id])
+    check_privileges!(@change_request)
   end
   
   def index
@@ -46,4 +48,10 @@ class UserNameChangeRequestsController < ApplicationController
     @change_request.reject!(params[:reason])
     redirect_to user_name_change_request_path(@change_request), :notice => "Name change request rejected"
   end
+
+private
+  def check_privileges!(change_request)
+    return if CurrentUser.is_janitor?
+    raise User::PrivilegeError if change_request.user_id != CurrentUser.user.id
+  end
 end
diff --git a/test/functional/user_name_change_requests_controller_test.rb b/test/functional/user_name_change_requests_controller_test.rb
index be0547979..f8f93517a 100644
--- a/test/functional/user_name_change_requests_controller_test.rb
+++ b/test/functional/user_name_change_requests_controller_test.rb
@@ -27,6 +27,17 @@ class UserNameChangeRequestsControllerTest < ActionController::TestCase
         get :show, {:id => @change_request.id}, {:user_id => @user.id}
         assert_response :success
       end
+
+      context "when the current user is not an admin and does not own the request" do
+        setup do
+          CurrentUser.user = FactoryGirl.create(:user)
+        end
+
+        should "fail" do
+          get :show, {:id => @change_request.id}
+          assert_redirected_to(new_session_path(:url => user_name_change_request_path(@change_request)))
+        end
+      end
     end
     
     context "for actions restricted to admins" do