diff --git a/src/applications/phortune/controller/PhortuneSubscriptionEditController.php b/src/applications/phortune/controller/PhortuneSubscriptionEditController.php
--- a/src/applications/phortune/controller/PhortuneSubscriptionEditController.php
+++ b/src/applications/phortune/controller/PhortuneSubscriptionEditController.php
@@ -18,6 +18,10 @@
       return new Aphront404Response();
     }
 
+    id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
+      $viewer,
+      $request,
+      $this->getApplicationURI($subscription->getEditURI()));
     $merchant = $subscription->getMerchant();
     $account = $subscription->getAccount();
 
diff --git a/src/applications/phortune/controller/PhortuneSubscriptionViewController.php b/src/applications/phortune/controller/PhortuneSubscriptionViewController.php
--- a/src/applications/phortune/controller/PhortuneSubscriptionViewController.php
+++ b/src/applications/phortune/controller/PhortuneSubscriptionViewController.php
@@ -35,8 +35,7 @@
       ->setUser($viewer)
       ->setObjectURI($request->getRequestURI());
 
-    $edit_uri = $this->getApplicationURI(
-      "{$account_id}/subscription/edit/{$subscription_id}/");
+    $edit_uri = $this->getApplicationURI($subscription->getEditURI());
 
     $actions->addAction(
       id(new PhabricatorActionView())
diff --git a/src/applications/phortune/storage/PhortuneSubscription.php b/src/applications/phortune/storage/PhortuneSubscription.php
--- a/src/applications/phortune/storage/PhortuneSubscription.php
+++ b/src/applications/phortune/storage/PhortuneSubscription.php
@@ -187,6 +187,13 @@
     return "/phortune/{$account_id}/subscription/view/{$id}/";
   }
 
+  public function getEditURI() {
+    $account_id = $this->getAccount()->getID();
+    $id = $this->getID();
+
+    return "/phortune/{$account_id}/subscription/edit/{$id}/";
+  }
+
   public function getMerchantURI() {
     $merchant_id = $this->getMerchant()->getID();
     $id = $this->getID();