The two views: report_abuse and submit_review are handling authentication themselves by expecting the user's token/secret to be posted to the view. I don't remember why this is necessary, so wanted to document it here :)
It looks like it is only ever used to create an LP API service root using the auth details, and then call launchpad.me to get the username/displayname. If the authentication succeeds a separate Reviewer object is created using the username, otherwise HttpResponseForbidden is returned.
I *think* we should be able to use OAuth instead so that the client authenticates with the RNR app (similar to the setup that achuni added to SCA, ie. internally contacting SSO when necessary), and automatically create a new User object. Anthony?
If we can, then let's refactor those views to simply use login_required, and afaics, this would remove the need for any authenticated requests to the LP API at all?
I added some comments on this to bug #674069. I think its fine (and a good idea) to change the server so that those two calls require a login and that the client does the login as a seperate step.