Index: lams_central/src/java/org/lamsfoundation/lams/web/qb/EditQbQuestionController.java
===================================================================
diff -u -r80e8b14fbf1e51ddd5f16b6af99fcf5757909814 -r43b70960ce9b0bcf2d8a0d6e4ba5ec69c9fc3e6d
--- lams_central/src/java/org/lamsfoundation/lams/web/qb/EditQbQuestionController.java	(.../EditQbQuestionController.java)	(revision 80e8b14fbf1e51ddd5f16b6af99fcf5757909814)
+++ lams_central/src/java/org/lamsfoundation/lams/web/qb/EditQbQuestionController.java	(.../EditQbQuestionController.java)	(revision 43b70960ce9b0bcf2d8a0d6e4ba5ec69c9fc3e6d)
@@ -13,6 +13,7 @@
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
 
 import org.apache.commons.beanutils.BeanUtils;
 import org.apache.commons.lang.StringUtils;
@@ -26,12 +27,14 @@
 import org.lamsfoundation.lams.qb.model.QbQuestionUnit;
 import org.lamsfoundation.lams.qb.service.IQbService;
 import org.lamsfoundation.lams.tool.ToolContent;
+import org.lamsfoundation.lams.usermanagement.dto.UserDTO;
 import org.lamsfoundation.lams.usermanagement.service.IUserManagementService;
 import org.lamsfoundation.lams.util.Configuration;
 import org.lamsfoundation.lams.util.ConfigurationKeys;
 import org.lamsfoundation.lams.util.FileUtil;
 import org.lamsfoundation.lams.util.MessageService;
 import org.lamsfoundation.lams.util.WebUtil;
+import org.lamsfoundation.lams.web.session.SessionManager;
 import org.lamsfoundation.lams.web.util.AttributeNames;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
@@ -117,6 +120,14 @@
 	if (qbQuestion == null) {
 	    throw new RuntimeException("QbQuestion with uid:" + qbQuestionUid + " was not found!");
 	}
+	Integer userId = getUserId();
+	boolean editingAllowed = qbService.isQuestionInUserCollection(qbQuestion.getQuestionId(), userId)
+		|| qbService.isQuestionInPublicCollection(qbQuestion.getQuestionId());
+	if (!editingAllowed) {
+	    response.sendError(HttpServletResponse.SC_FORBIDDEN,
+		    "The user does not have access to given QB question editing");
+	    return null;
+	}
 
 	//populate question information to its form for editing
 	form.setUid(qbQuestion.getUid());
@@ -394,4 +405,9 @@
 	return forward;
     }
 
-}
+    private Integer getUserId() {
+	HttpSession ss = SessionManager.getSession();
+	UserDTO user = (UserDTO) ss.getAttribute(AttributeNames.USER);
+	return user != null ? user.getUserID() : null;
+    }
+}
\ No newline at end of file
Index: lams_central/web/qb/stats.jsp
===================================================================
diff -u -r45abd8fb5701761386ec30cd2478e55274ad081b -r43b70960ce9b0bcf2d8a0d6e4ba5ec69c9fc3e6d
--- lams_central/web/qb/stats.jsp	(.../stats.jsp)	(revision 45abd8fb5701761386ec30cd2478e55274ad081b)
+++ lams_central/web/qb/stats.jsp	(.../stats.jsp)	(revision 43b70960ce9b0bcf2d8a0d6e4ba5ec69c9fc3e6d)
@@ -154,7 +154,7 @@
 		<div class="panel-heading">
 			<fmt:message key="label.qb.stats.question" />
 			
-			<c:if test="${empty param.waQuestionUid}">
+			<c:if test="${managementAllowed and empty param.waQuestionUid}">
 				<div class="btn-group-xs pull-right">
 					<a href="<c:url value='/qb/edit/editQuestion.do'/>?qbQuestionUid=${question.uid}&KeepThis=true&TB_iframe=true&modal=true" class="btn btn-default thickbox"> 
 						<i class="fa fa-pencil"	title="<fmt:message key="label.edit" />"></i>