diff --git a/src/main/scala/app/IssuesController.scala b/src/main/scala/app/IssuesController.scala
index 5cc89a8..c8a1dbd 100644
--- a/src/main/scala/app/IssuesController.scala
+++ b/src/main/scala/app/IssuesController.scala
@@ -65,11 +65,12 @@
           (getCollaborators(owner, repository) :+ owner).sorted,
           getMilestones(owner, repository),
           getLabels(owner, repository),
+          hasWritePermission(owner, repository, context.loginAccount),
           getRepository(owner, repository, baseUrl).get)
     } getOrElse NotFound
   })
 
-  get("/:owner/:repository/issues/new")( readableUsersOnly {
+  get("/:owner/:repository/issues/new")(readableUsersOnly {
     val owner      = params("owner")
     val repository = params("repository")
 
@@ -82,20 +83,22 @@
     } getOrElse NotFound
   })
 
-  post("/:owner/:repository/issues/new", issueCreateForm)( readableUsersOnly { form =>
-    val owner = params("owner")
+  post("/:owner/:repository/issues/new", issueCreateForm)(readableUsersOnly { form =>
+    val owner      = params("owner")
     val repository = params("repository")
+    val writable   = hasWritePermission(owner, repository, context.loginAccount)
 
-    // TODO User and milestone are assigned by only collaborators.
-    val issueId = createIssue(owner, repository, context.loginAccount.get.userName,
-      form.title, form.content, form.assignedUserName, form.milestoneId)
+    val issueId = createIssue(owner, repository, context.loginAccount.get.userName, form.title, form.content,
+      if(writable) form.assignedUserName else None,
+      if(writable) form.milestoneId else None)
 
-    // TODO labels are assigned by only collaborators
-    form.labelNames.map { value =>
-      val labels = getLabels(owner, repository)
-      value.split(",").foreach { labelName =>
-        labels.find(_.labelName == labelName).map { label =>
-          registerIssueLabel(owner, repository, issueId, label.labelId)
+    if(writable){
+      form.labelNames.map { value =>
+        val labels = getLabels(owner, repository)
+        value.split(",").foreach { labelName =>
+          labels.find(_.labelName == labelName).map { label =>
+            registerIssueLabel(owner, repository, issueId, label.labelId)
+          }
         }
       }
     }
@@ -103,18 +106,24 @@
     redirect("/%s/%s/issues/%d".format(owner, repository, issueId))
   })
 
-  // TODO Authenticator
-  ajaxPost("/:owner/:repository/issues/edit/:id", issueEditForm){ form =>
-    val owner = params("owner")
+  ajaxPost("/:owner/:repository/issues/edit/:id", issueEditForm)(readableUsersOnly { form =>
+    val owner      = params("owner")
     val repository = params("repository")
-    val issueId = params("id").toInt
+    val issueId    = params("id").toInt
+    val writable   = hasWritePermission(owner, repository, context.loginAccount)
 
-    updateIssue(owner, repository, issueId, form.title, form.content)
-    redirect("/%s/%s/issues/_data/%d".format(owner, repository, issueId))
-  }
+    getIssue(owner, repository, issueId.toString).map { issue =>
+      if(writable || issue.openedUserName == context.loginAccount.get.userName){
+        updateIssue(owner, repository, issueId, form.title, form.content)
+        redirect("/%s/%s/issues/_data/%d".format(owner, repository, issueId))
+      } else {
+        Unauthorized
+      }
+    } getOrElse NotFound
+  })
 
-  // TODO requires users only and readable repository checking
-  post("/:owner/:repository/issue_comments/new", commentForm)( referrersOnly { form =>
+  // TODO repository checking
+  post("/:owner/:repository/issue_comments/new", commentForm)(readableUsersOnly { form =>
     val owner = params("owner")
     val repository = params("repository")
     val action = params.get("action") filter { action =>
@@ -125,13 +134,22 @@
         createComment(owner, repository, context.loginAccount.get.userName, form.issueId, form.content, action)))
   })
 
-  // TODO Authenticator, repository checking
-  ajaxPost("/:owner/:repository/issue_comments/edit/:id", commentForm){ form =>
-    val commentId = params("id").toInt
+  // TODO repository checking
+  ajaxPost("/:owner/:repository/issue_comments/edit/:id", commentForm)(readableUsersOnly { form =>
+    val owner      = params("owner")
+    val repository = params("repository")
+    val commentId  = params("id").toInt
+    val writable   = hasWritePermission(owner, repository, context.loginAccount)
 
-    updateComment(commentId, form.content)
-    redirect("/%s/%s/issue_comments/_data/%d".format(params("owner"), params("repository"), commentId))
-  }
+    getComment(commentId.toString).map { comment =>
+      if(writable || comment.commentedUserName == context.loginAccount.get.userName){
+        updateComment(commentId, form.content)
+        redirect("/%s/%s/issue_comments/_data/%d".format(owner, repository, commentId))
+      } else {
+        Unauthorized
+      }
+    } getOrElse NotFound
+  })
 
   // TODO Authenticator
   ajaxGet("/:owner/:repository/issues/_data/:id"){
diff --git a/src/main/twirl/issues/issue.scala.html b/src/main/twirl/issues/issue.scala.html
index 8838305..e5551d2 100644
--- a/src/main/twirl/issues/issue.scala.html
+++ b/src/main/twirl/issues/issue.scala.html
@@ -4,6 +4,7 @@
   collaborators: List[String],
   milestones: List[model.Milestone],
   labels: List[model.Label],
+  hasWritePermission: Boolean,
   repository: service.RepositoryService.RepositoryInfo)(implicit context: app.Context)
 @import context._
 @import view.helpers._
@@ -19,7 +20,9 @@
       <div class="box">
         <div class="box-content" style="padding: 0px;">
           <div class="issue-header">
-            <span class="pull-right"><a class="btn btn-small" href="#" id="edit">Edit</a></span>
+            @if(hasWritePermission || loginAccount.map(_.userName == issue.openedUserName).getOrElse(false)){
+              <span class="pull-right"><a class="btn btn-small" href="#" id="edit">Edit</a></span>
+            }
             <div class="small muted">
               <a href="@url(issue.openedUserName)" class="username">@issue.openedUserName</a> opened this issue @datetime(issue.registeredDate)
             </div>
@@ -31,11 +34,13 @@
                 <a href="@url(userName)" class="username strong">@userName</a> is assigned
               }.getOrElse("No one is assigned")
             </span>
-            @helper.html.dropdown {
-              <li><a href="javascript:void(0);" class="assign" data-name="">Clear assignee</a></li>
-              <li class="divider"></li>
-              @collaborators.map { collaborator =>
-                <li><a href="javascript:void(0);" class="assign" data-name="@collaborator">@collaborator</a></li>
+            @if(hasWritePermission){
+              @helper.html.dropdown {
+                <li><a href="javascript:void(0);" class="assign" data-name="">Clear assignee</a></li>
+                <li class="divider"></li>
+                @collaborators.map { collaborator =>
+                  <li><a href="javascript:void(0);" class="assign" data-name="@collaborator">@collaborator</a></li>
+                }
               }
             }
             <div class="pull-right">
@@ -46,11 +51,13 @@
                   }
                 }.getOrElse("No milestone")
               </span>
-              @helper.html.dropdown {
-                <li><a href="javascript:void(0);" class="milestone" data-id="">No milestone</a></li>
-                <li class="divider"></li>
-                @milestones.map { milestone =>
-                  <li><a href="javascript:void(0);" class="milestone" data-id="@milestone.milestoneId">@milestone.title</a></li>
+              @if(hasWritePermission){
+                @helper.html.dropdown {
+                  <li><a href="javascript:void(0);" class="milestone" data-id="">No milestone</a></li>
+                  <li class="divider"></li>
+                  @milestones.map { milestone =>
+                    <li><a href="javascript:void(0);" class="milestone" data-id="@milestone.milestoneId">@milestone.title</a></li>
+                  }
                 }
               }
             </div>
@@ -61,40 +68,44 @@
         </div>
       </div>
       @comments.map { comment =>
-      <div class="box" id="comment-@comment.commentId">
-        <div class="box-header-small">
-          <a href="@url(comment.commentedUserName)" class="username strong">@comment.commentedUserName</a> commented
-          <span class="pull-right">
-            @datetime(comment.registeredDate)
-            <a href="#" data-comment-id="@comment.commentId"><i class="icon-pencil"></i></a>
-          </span>
+        <div class="box" id="comment-@comment.commentId">
+          <div class="box-header-small">
+            <a href="@url(comment.commentedUserName)" class="username strong">@comment.commentedUserName</a> commented
+            <span class="pull-right">
+              @datetime(comment.registeredDate)
+              @if(hasWritePermission || loginAccount.map(_.userName == comment.commentedUserName).getOrElse(false)){
+                <a href="#" data-comment-id="@comment.commentId"><i class="icon-pencil"></i></a>
+              }
+            </span>
+          </div>
+          <div class="box-content"class="issue-content" id="commentContent-@comment.commentId">
+            @markdown(comment.content, repository, false, true, true)
+          </div>
         </div>
-        <div class="box-content"class="issue-content" id="commentContent-@comment.commentId">
-          @markdown(comment.content, repository, false, true, true)
+        @comment.action.map { action =>
+        <div class="small">
+          @if(action == "close"){
+            <span class="label label-important">Closed</span>
+            <a href="@url(comment.commentedUserName)">@comment.commentedUserName</a> closed the issue @datetime(comment.registeredDate)
+          } else {
+            <span class="label label-success">Reopened</span>
+            <a href="@url(comment.commentedUserName)">@comment.commentedUserName</a> reopened the issue @datetime(comment.registeredDate)
+          }
         </div>
-      </div>
-      @comment.action.map { action =>
-      <div class="small">
-        @if(action == "close"){
-          <span class="label label-important">Closed</span>
-          <a href="@url(comment.commentedUserName)">@comment.commentedUserName</a> closed the issue @datetime(comment.registeredDate)
-        } else {
-          <span class="label label-success">Reopened</span>
-          <a href="@url(comment.commentedUserName)">@comment.commentedUserName</a> reopened the issue @datetime(comment.registeredDate)
         }
-      </div>
       }
+      @if(loginAccount.isDefined){
+        <form action="@url(repository)/issue_comments/new" method="POST" validate="true">
+          <div class="box">
+            <div class="box-content">
+              @helper.html.preview(repository, "", false, true, true, "width: 730px; height: 100px;")
+            </div>
+          </div>
+          <input type="hidden" name="issueId" value="@issue.issueId"/>
+          <input type="submit" class="btn btn-success" value="Comment"/>
+          <input type="submit" class="btn" value="@{if(issue.closed) "Reopen" else "Close"}" id="action"/>
+        </form>
       }
-      <form action="@url(repository)/issue_comments/new" method="POST" validate="true">
-      <div class="box">
-        <div class="box-content">
-          @helper.html.preview(repository, "", false, true, true, "width: 730px; height: 100px;")
-        </div>
-      </div>
-      <input type="hidden" name="issueId" value="@issue.issueId"/>
-      <input type="submit" class="btn btn-success" value="Comment"/>
-      <input type="submit" class="btn" value="@{if(issue.closed) "Reopen" else "Close"}" id="action"/>
-      </form>
     </div>
     <div class="span2">
       @if(issue.closed) {
@@ -105,25 +116,27 @@
       <div class="small">@comments.size comments</div>
       <hr/>
       <strong>Labels</strong>
-      <div class="pull-right">
-        <div class="btn-group">
-          <button class="btn btn-mini dropdown-toggle" data-toggle="dropdown">
-            <i class="icon-cog"></i>
-            <span class="caret"></span>
-          </button>
-          <ul class="dropdown-menu">
-          @labels.map { label =>
-            <li>
-              <a href="#" class="toggle-label" data-label-id="@label.labelId">
-                <i class="@{if(issueLabels.exists(_.labelId == label.labelId)) "icon-ok" else "icon-white"}"></i>
-                <span class="label" style="background-color: #@label.color;">&nbsp;</span>
-                @label.labelName
-              </a>
-            </li>
-          }
-          </ul>
+      @if(hasWritePermission){
+        <div class="pull-right">
+          <div class="btn-group">
+            <button class="btn btn-mini dropdown-toggle" data-toggle="dropdown">
+              <i class="icon-cog"></i>
+              <span class="caret"></span>
+            </button>
+            <ul class="dropdown-menu">
+            @labels.map { label =>
+              <li>
+                <a href="#" class="toggle-label" data-label-id="@label.labelId">
+                  <i class="@{if(issueLabels.exists(_.labelId == label.labelId)) "icon-ok" else "icon-white"}"></i>
+                  <span class="label" style="background-color: #@label.color;">&nbsp;</span>
+                  @label.labelName
+                </a>
+              </li>
+            }
+            </ul>
+          </div>
         </div>
-      </div>
+      }
       <ul class="label-list">
         @labellist(issueLabels)
       </ul>
diff --git a/src/main/twirl/issues/tab.scala.html b/src/main/twirl/issues/tab.scala.html
index f78d5c5..de340e6 100644
--- a/src/main/twirl/issues/tab.scala.html
+++ b/src/main/twirl/issues/tab.scala.html
@@ -4,9 +4,11 @@
 <ul class="nav nav-tabs">
   <li@if(active == "issues"){ class="active"}><a href="@url(repository)/issues">Browse Issues</a></li>
   <li@if(active == "milestones"){ class="active"}><a href="@url(repository)/issues/milestones">Milestones</a></li>
+  @if(loginAccount.isDefined){
   <li class="pull-right">
     <div class="btn-group">
       <a class="btn btn-success" href="@url(repository)/issues/new">New Issue</a>
     </div>
   </li>
+  }
 </ul>