diff --git a/app/controllers/homework_attach_controller.rb b/app/controllers/homework_attach_controller.rb
index 6088e2294..d07ee9448 100644
--- a/app/controllers/homework_attach_controller.rb
+++ b/app/controllers/homework_attach_controller.rb
@@ -305,7 +305,8 @@ class HomeworkAttachController < ApplicationController
   end
 
   def edit
-    if User.current.admin? || User.current.member_of_course?(@homework.bid.courses.first)
+    bid = @homework.bid
+    if (bid.comment_status == 0 || bid.open_anonymous_evaluation == 0) && (User.current.admin? || User.current.member_of_course?(bid.courses.first))
       get_homework_member @homework
     else
       render_403 :message => :notice_not_authorized
@@ -337,7 +338,8 @@ class HomeworkAttachController < ApplicationController
   end
 
   def destroy
-    if User.current.admin? || User.current == @homework.user
+    bid = @homework.bid
+    if (bid.comment_status == 0 || bid.open_anonymous_evaluation == 0) && (User.current.admin? || User.current == @homework.user)
       if @homework.destroy
         #respond_to do |format|
         #  format.html { redirect_to course_for_bid_url @homework.bid }