diff --git a/aurweb/routers/packages.py b/aurweb/routers/packages.py
index 8f4a7e1f..15d0591c 100644
--- a/aurweb/routers/packages.py
+++ b/aurweb/routers/packages.py
@@ -820,7 +820,7 @@ async def pkgbase_unflag(request: Request, name: str):
     pkgbase = get_pkg_or_base(name, PackageBase)
 
     has_cred = request.user.has_credential(
-        "CRED_PKGBASE_UNFLAG", approved=[pkgbase.Flagger])
+        "CRED_PKGBASE_UNFLAG", approved=[pkgbase.Flagger, pkgbase.Maintainer])
     if has_cred:
         with db.begin():
             pkgbase.OutOfDateTS = None
diff --git a/test/test_packages_routes.py b/test/test_packages_routes.py
index 12d7e33e..e2811a46 100644
--- a/test/test_packages_routes.py
+++ b/test/test_packages_routes.py
@@ -1713,7 +1713,9 @@ def test_pkgbase_flag(client: TestClient, user: User, maintainer: User,
 
     # Flag it with a valid comment.
     with client as request:
-        resp = request.post(endpoint, {"comments": "Test"}, cookies=cookies)
+        resp = request.post(endpoint, data={
+            "comments": "Test"
+        }, cookies=cookies)
     assert resp.status_code == int(HTTPStatus.SEE_OTHER)
     assert pkgbase.Flagger == user
     assert pkgbase.FlaggerComment == "Test"
@@ -1724,14 +1726,34 @@ def test_pkgbase_flag(client: TestClient, user: User, maintainer: User,
         resp = request.get(endpoint, cookies=cookies, allow_redirects=False)
     assert resp.status_code == int(HTTPStatus.SEE_OTHER)
 
-    # Now, test that the 'maintainer' user can't unflag it, because they
+    with db.begin():
+        user2 = db.create(User, Username="test2",
+                          Email="test2@example.org",
+                          Passwd="testPassword",
+                          AccountType=user.AccountType)
+
+    # Now, test that the 'user2' user can't unflag it, because they
     # didn't flag it to begin with.
-    maint_cookies = {"AURSID": maintainer.login(Request(), "testPassword")}
+    user2_cookies = {"AURSID": user2.login(Request(), "testPassword")}
     endpoint = f"/pkgbase/{pkgbase.Name}/unflag"
+    with client as request:
+        resp = request.post(endpoint, cookies=user2_cookies)
+    assert resp.status_code == int(HTTPStatus.SEE_OTHER)
+    assert pkgbase.Flagger == user
+
+    # Now, test that the 'maintainer' user can.
+    maint_cookies = {"AURSID": maintainer.login(Request(), "testPassword")}
     with client as request:
         resp = request.post(endpoint, cookies=maint_cookies)
     assert resp.status_code == int(HTTPStatus.SEE_OTHER)
-    assert pkgbase.Flagger == user
+    assert pkgbase.Flagger is None
+
+    # Flag it again.
+    with client as request:
+        resp = request.post(f"/pkgbase/{pkgbase.Name}/flag", data={
+            "comments": "Test"
+        }, cookies=cookies)
+    assert resp.status_code == int(HTTPStatus.SEE_OTHER)
 
     # Now, unflag it for real.
     with client as request: