--- a/Allura/allura/controllers/repository.py
+++ b/Allura/allura/controllers/repository.py
@@ -116,6 +116,7 @@
     @without_trailing_slash
     @expose('jinja:allura:templates/repo/request_merge.html')
     def request_merge(self, branch=None):
+        security.require(security.has_access(c.app.repo, 'admin'))
         c.form = self.mr_widget
         if branch is None:
             source_branch=c.app.repo.branches[0].name
@@ -239,6 +240,7 @@
 
     def __init__(self, num):
         self.req = M.MergeRequest.query.get(
+            app_config_id=c.app.config._id,
             request_number=int(num))
         if self.req is None: raise exc.HTTPNotFound