diff --git a/src/server/access/collections.test.ts b/src/server/access/collections.test.ts
new file mode 100644
index 0000000..14d69b3
--- /dev/null
+++ b/src/server/access/collections.test.ts
@@ -0,0 +1,27 @@
+import { afterAll, beforeAll, describe, expect, it } from "vitest";
+
+const prevDatabaseUrl = process.env.DATABASE_URL;
+
+beforeAll(() => {
+  process.env.DATABASE_URL =
+    process.env.DATABASE_URL ?? "postgresql://user:pass@localhost:5432/test";
+});
+
+afterAll(() => {
+  if (prevDatabaseUrl === undefined) delete process.env.DATABASE_URL;
+  else process.env.DATABASE_URL = prevDatabaseUrl;
+});
+
+describe("canRenameOrDeleteCollection", () => {
+  it("allows owners and creators", async () => {
+    const { canRenameOrDeleteCollection } = await import("./collections");
+    expect(canRenameOrDeleteCollection({ kind: "owner" })).toBe(true);
+    expect(canRenameOrDeleteCollection({ kind: "creator" })).toBe(true);
+  });
+
+  it("denies grants and non-members", async () => {
+    const { canRenameOrDeleteCollection } = await import("./collections");
+    expect(canRenameOrDeleteCollection({ kind: "grant" })).toBe(false);
+    expect(canRenameOrDeleteCollection({ kind: "none" })).toBe(false);
+  });
+});
diff --git a/src/server/access/collections.ts b/src/server/access/collections.ts
index 641c425..112d116 100644
--- a/src/server/access/collections.ts
+++ b/src/server/access/collections.ts
@@ -13,7 +13,7 @@ export type CollectionAccessState =
 export function canRenameOrDeleteCollection(
   state: CollectionAccessState,
 ): boolean {
-  return state.kind !== "none";
+  return state.kind === "owner" || state.kind === "creator";
 }
 
 export async function loadCollectionAccessState(params: {