diff --git a/src/applications/diffusion/controller/DiffusionMirrorDeleteController.php b/src/applications/diffusion/controller/DiffusionMirrorDeleteController.php
--- a/src/applications/diffusion/controller/DiffusionMirrorDeleteController.php
+++ b/src/applications/diffusion/controller/DiffusionMirrorDeleteController.php
@@ -19,6 +19,11 @@
     $mirror = id(new PhabricatorRepositoryMirrorQuery())
       ->setViewer($viewer)
       ->withIDs(array($this->id))
+      ->requireCapabilities(
+        array(
+          PhabricatorPolicyCapability::CAN_VIEW,
+          PhabricatorPolicyCapability::CAN_EDIT,
+        ))
       ->executeOne();
     if (!$mirror) {
       return new Aphront404Response();
diff --git a/src/applications/diffusion/controller/DiffusionMirrorEditController.php b/src/applications/diffusion/controller/DiffusionMirrorEditController.php
--- a/src/applications/diffusion/controller/DiffusionMirrorEditController.php
+++ b/src/applications/diffusion/controller/DiffusionMirrorEditController.php
@@ -16,10 +16,20 @@
     $drequest = $this->diffusionRequest;
     $repository = $drequest->getRepository();
 
+    PhabricatorPolicyFilter::requireCapability(
+      $viewer,
+      $repository,
+      PhabricatorPolicyCapability::CAN_EDIT);
+
     if ($this->id) {
       $mirror = id(new PhabricatorRepositoryMirrorQuery())
         ->setViewer($viewer)
         ->withIDs(array($this->id))
+        ->requireCapabilities(
+          array(
+            PhabricatorPolicyCapability::CAN_VIEW,
+            PhabricatorPolicyCapability::CAN_EDIT,
+          ))
         ->executeOne();
       if (!$mirror) {
         return new Aphront404Response();