diff --git a/opentech/apply/review/tests/test_views.py b/opentech/apply/review/tests/test_views.py
index 682500b50994cdd428969f42690d3ef1b12dce19..d9d3b9453e746c27b9dbec7511f5306bcd3b603b 100644
--- a/opentech/apply/review/tests/test_views.py
+++ b/opentech/apply/review/tests/test_views.py
@@ -24,11 +24,11 @@ class StaffReviewsTestCase(BaseViewTestCase):
         self.assertContains(response, self.user.full_name)
         self.assertContains(response, reverse('funds:submissions:detail', kwargs={'pk': review.submission.id}))
 
-    def test_cant_access_other_review(self):
+    def test_can_access_other_review(self):
         submission = ApplicationSubmissionFactory()
         review = ReviewFactory(submission=submission)
         response = self.get_page(review)
-        self.assertEqual(response.status_code, 403)
+        self.assertEqual(response.status_code, 200)
 
 
 class StaffReviewListingTestCase(BaseViewTestCase):
diff --git a/opentech/apply/review/views.py b/opentech/apply/review/views.py
index 70a3ad13ce6defe07672fec054c0c2630f393b40..da2b4fee78061a8c68f0b3ae3a2771d5b57c13d8 100644
--- a/opentech/apply/review/views.py
+++ b/opentech/apply/review/views.py
@@ -1,3 +1,4 @@
+from django.contrib.auth.decorators import login_required
 from django.core.exceptions import PermissionDenied
 from django.http import HttpResponseRedirect
 from django.shortcuts import get_object_or_404
@@ -38,6 +39,7 @@ def get_fields_for_stage(submission):
         return forms[0].form.form_fields
 
 
+@method_decorator(login_required, name='dispatch')
 class ReviewCreateOrUpdateView(BaseStreamForm, CreateOrUpdateView):
     submission_form_class = ReviewModelForm
     model = Review
@@ -97,6 +99,7 @@ class ReviewCreateOrUpdateView(BaseStreamForm, CreateOrUpdateView):
         return self.submission.get_absolute_url()
 
 
+@method_decorator(login_required, name='dispatch')
 class ReviewDetailView(DetailView):
     model = Review
 
@@ -104,7 +107,7 @@ class ReviewDetailView(DetailView):
         review = self.get_object()
         author = review.author
 
-        if request.user != author and not request.user.is_superuser and request.user != review.submission.lead:
+        if request.user != author and not request.user.is_superuser and not request.user.is_apply_staff:
             raise PermissionDenied
 
         if review.is_draft: