Issue 379: Shouldn't access to unpublished review requests.

Review Request #366 — Created April 23, 2008 and submitted — Latest diff uploaded

Information

Review Board SVN (deprecated)
trunk
379

Reviewers

This fix limits access to unpublished review requests. 
Only the submitter and people who has permission should be able to access the review request. 

I define a decorator maker at reviewboad/accounts/decorators.py, and  decorate review_request views.

Current code uses
 raise HttpResponseForbidden()
But it should be
 return HttpResponseForbidden("Error Message HTML")
or
 from django.core.exceptions import PermissionDenied
 raise PermissionDenied

I use HttpResponseForbidden, but error message is hard coded and very cheep. Maybe we can refactor it later to something like "templates/404.html" way of django.http.Http404.

------------------------------------
According to David's review, 
 * moved decorators.py to reviewboard/reviews/
 * changed a parameter name from only_unpublic to only_nonpublic
 * changed from returning HttpForbidden to raising Http404 when permission doesn't match
Thanks for reviwing.
Tested on my local machine. 
Post new review request but not publish. Access the urls (/r/<id>/, /r/<id>/diff, and so on) as another user.