--- a/test/functional/journals_controller_test.rb
+++ b/test/functional/journals_controller_test.rb
@@ -33,14 +33,20 @@
   
   def test_reply_to_issue
     @request.session[:user_id] = 2
-    get :new, :id => 1
+    get :new, :id => 6
     assert_response :success
     assert_select_rjs :show, "update"
   end
+  
+  def test_reply_to_issue_without_permission
+    @request.session[:user_id] = 7
+    get :new, :id => 6
+    assert_response 403
+  end
 
   def test_reply_to_note
     @request.session[:user_id] = 2
-    get :new, :id => 1, :journal_id => 2
+    get :new, :id => 6, :journal_id => 4
     assert_response :success
     assert_select_rjs :show, "update"
   end
--- a/app/controllers/journals_controller.rb
+++ b/app/controllers/journals_controller.rb
@@ -18,6 +18,7 @@
 class JournalsController < ApplicationController
   before_filter :find_journal, :only => [:edit]
   before_filter :find_issue, :only => [:new]
+  before_filter :authorize, :only => [:new, :edit]
   
   def new
     journal = Journal.find(params[:journal_id]) if params[:journal_id]