I would much rather we do the username checking in ReviewRequestManager (reviews/managers.py). The advantage is we have the code in one place and we never run the risk of hitting this again. We should then update the NewReviewRequestForm object to catch the OwnershipError exception, set the proper error response, and re-throw the caught exception. Right now it does this check that you have here, but if we centralize that code, we won't need it anymore.
post-review - block request if changelist's author is mismatch
Review Request #777 — Created March 23, 2009 and discarded
Block user from post-review'ing review of changelists they aren't owner of. The web interface blocks it, but the web service doesn't.
We're using this at DD