diff --git a/src/routes/v2/projects.rs b/src/routes/v2/projects.rs
index 767453a1b..8bcb797d4 100644
--- a/src/routes/v2/projects.rs
+++ b/src/routes/v2/projects.rs
@@ -1641,8 +1641,8 @@ pub async fn project_schedule(
         )
         .await?;
 
-        if user.role.is_mod()
-            || team_member
+        if !user.role.is_mod()
+            && !team_member
                 .map(|x| x.permissions.contains(Permissions::EDIT_DETAILS))
                 .unwrap_or(false)
         {
@@ -2315,6 +2315,10 @@ pub async fn project_follow(
     let user_id: database::models::ids::UserId = user.id.into();
     let project_id: database::models::ids::ProjectId = result.id;
 
+    if !is_authorized(&result, &Some(user), &pool).await? {
+        return Ok(HttpResponse::NotFound().body(""));
+    }
+
     let following = sqlx::query!(
         "
         SELECT EXISTS(SELECT 1 FROM mod_follows mf WHERE mf.follower_id = $1 AND mf.mod_id = $2)
diff --git a/src/routes/v2/versions.rs b/src/routes/v2/versions.rs
index cd58633c2..abc58529c 100644
--- a/src/routes/v2/versions.rs
+++ b/src/routes/v2/versions.rs
@@ -691,8 +691,8 @@ pub async fn version_schedule(
             )
             .await?;
 
-        if user.role.is_mod()
-            || team_member
+        if !user.role.is_mod()
+            && !team_member
                 .map(|x| x.permissions.contains(Permissions::EDIT_DETAILS))
                 .unwrap_or(false)
         {