diff --git a/hypha/apply/projects/templates/application_projects/vendor_detail.html b/hypha/apply/projects/templates/application_projects/vendor_detail.html
index 2bb2a9160851c6bc0443b3de634db95dc7752525..da54c5a6dab76f23bcf40d27d2851da7b0f56301 100644
--- a/hypha/apply/projects/templates/application_projects/vendor_detail.html
+++ b/hypha/apply/projects/templates/application_projects/vendor_detail.html
@@ -1,6 +1,6 @@
 {% extends "base-apply.html" %}
-{% load bleach_tags i18n %}
-
+{% load bleach_tags i18n approval_tools %}
+{% user_can_edit_project object request.user as editable %}
 {% block title %}{% trans "Vendor Information for" %} {{ project.title }} {% endblock %}
 
 {% block content %}
@@ -14,12 +14,14 @@
     <div>
         <h5 class="vendor-info">Last Updated: {{ vendor.updated_at|date:'F d, Y' }}</h5>
     </div>
-    <div>
-        <a class="link link--edit-vendor is-active" href="{% url 'apply:projects:vendor' pk=project.pk %}">
-            Edit
-        <svg class="icon icon--pen"><use xlink:href="#pen"></use></svg>
-        </a>
-    </div>
+    {% if editable %}
+        <div>
+            <a class="link link--edit-vendor is-active" href="{% url 'apply:projects:vendor' pk=project.pk %}">
+                Edit
+            <svg class="icon icon--pen"><use xlink:href="#pen"></use></svg>
+            </a>
+        </div>
+    {% endif %}
 </div>
 
 <div class="rich-text rich-text--answers">
diff --git a/hypha/apply/projects/views/vendor.py b/hypha/apply/projects/views/vendor.py
index a78d4e2ff834f790cc7f10f1ebc095a6e2f72ffb..6087123d0fcf9ebab14fd6e3dc7d641dbf81e398 100644
--- a/hypha/apply/projects/views/vendor.py
+++ b/hypha/apply/projects/views/vendor.py
@@ -42,7 +42,7 @@ def show_extra_info_form(wizard):
     return cleaned_data.get('need_extra_info', True)
 
 
-class VendorAccessMixin:
+class CreateVendorAccessMixin:
     def dispatch(self, request, *args, **kwargs):
         project_settings = ProjectSettings.for_request(request)
         if not project_settings.vendor_setup_required:
@@ -59,7 +59,22 @@ class VendorAccessMixin:
         return super().dispatch(request, *args, **kwargs)
 
 
-class CreateVendorView(VendorAccessMixin, SessionWizardView):
+class DetailVendorAccessMixin:
+    def dispatch(self, request, *args, **kwargs):
+        project_settings = ProjectSettings.for_request(request)
+        if not project_settings.vendor_setup_required:
+            raise PermissionDenied
+        is_admin = request.user.is_apply_staff
+        project = self.get_project()
+        is_owner = request.user == project.user
+        if not (is_owner or is_admin):
+            raise PermissionDenied
+        if not project.vendor:
+            raise Http404
+        return super().dispatch(request, *args, **kwargs)
+
+
+class CreateVendorView(CreateVendorAccessMixin, SessionWizardView):
     file_storage = PrivateStorage()
     form_list = [
         ('basic', CreateVendorFormStep1),
@@ -209,7 +224,7 @@ class CreateVendorView(VendorAccessMixin, SessionWizardView):
         return kwargs
 
 
-class VendorDetailView(VendorAccessMixin, DetailView):
+class VendorDetailView(DetailVendorAccessMixin, DetailView):
     model = Vendor
     template_name = 'application_projects/vendor_detail.html'