diff --git a/aurweb/routers/packages.py b/aurweb/routers/packages.py
index 76f82ffb..fc292610 100644
--- a/aurweb/routers/packages.py
+++ b/aurweb/routers/packages.py
@@ -254,6 +254,11 @@ async def package_base(request: Request, name: str) -> Response:
 async def package_base_voters(request: Request, name: str) -> Response:
     # Get the PackageBase.
     pkgbase = get_pkg_or_base(name, models.PackageBase)
+
+    if not request.user.has_credential(creds.PKGBASE_LIST_VOTERS):
+        return RedirectResponse(f"/pkgbase/{name}",
+                                status_code=HTTPStatus.SEE_OTHER)
+
     context = make_context(request, "Voters")
     context["pkgbase"] = pkgbase
     return render_template(request, "pkgbase/voters.html", context)
diff --git a/templates/partials/packages/details.html b/templates/partials/packages/details.html
index 78e0ad1c..ae7c45f4 100644
--- a/templates/partials/packages/details.html
+++ b/templates/partials/packages/details.html
@@ -131,14 +131,14 @@
     </tr>
     <tr>
         <th>{{ "Votes" | tr }}:</th>
-        {% if not is_maintainer %}
-            <td>{{ pkgbase.NumVotes }}</td>
-        {% else %}
+        {% if request.user.has_credential(creds.PKGBASE_LIST_VOTERS) %}
             <td>
                 <a href="/pkgbase/{{ pkgbase.Name }}/voters">
                     {{ pkgbase.NumVotes }}
                 </a>
             </td>
+        {% else %}
+            <td>{{ pkgbase.NumVotes }}</td>
         {% endif %}
     </tr>
     <tr>
diff --git a/test/test_packages_routes.py b/test/test_packages_routes.py
index c1b27627..03ab5ab8 100644
--- a/test/test_packages_routes.py
+++ b/test/test_packages_routes.py
@@ -1078,22 +1078,39 @@ def test_packages_per_page(client: TestClient, maintainer: User):
     assert len(rows) == 250
 
 
-def test_pkgbase_voters(client: TestClient, maintainer: User, package: Package):
+def test_pkgbase_voters(client: TestClient, tu_user: User, package: Package):
     pkgbase = package.PackageBase
     endpoint = f"/pkgbase/{pkgbase.Name}/voters"
 
     now = int(datetime.utcnow().timestamp())
     with db.begin():
-        db.create(PackageVote, User=maintainer, PackageBase=pkgbase,
-                  VoteTS=now)
+        db.create(PackageVote, User=tu_user, PackageBase=pkgbase, VoteTS=now)
 
+    cookies = {"AURSID": tu_user.login(Request(), "testPassword")}
     with client as request:
-        resp = request.get(endpoint)
+        resp = request.get(endpoint, cookies=cookies, allow_redirects=False)
     assert resp.status_code == int(HTTPStatus.OK)
 
+    # We should've gotten one link to the voter, tu_user.
     root = parse_root(resp.text)
-    rows = root.xpath('//div[@class="box"]//ul/li')
+    rows = root.xpath('//div[@class="box"]//ul/li/a')
     assert len(rows) == 1
+    assert rows[0].text.strip() == tu_user.Username
+
+
+def test_pkgbase_voters_unauthorized(client: TestClient, user: User,
+                                     package: Package):
+    pkgbase = package.PackageBase
+    endpoint = f"/pkgbase/{pkgbase.Name}/voters"
+
+    now = int(datetime.utcnow().timestamp())
+    with db.begin():
+        db.create(PackageVote, User=user, PackageBase=pkgbase, VoteTS=now)
+
+    with client as request:
+        resp = request.get(endpoint, allow_redirects=False)
+    assert resp.status_code == int(HTTPStatus.SEE_OTHER)
+    assert resp.headers.get("location") == f"/pkgbase/{pkgbase.Name}"
 
 
 def test_pkgbase_comment_not_found(client: TestClient, maintainer: User,