diff --git a/app/api/tasks/[id]/route.ts b/app/api/tasks/[id]/route.ts
index 796c0bb..250aeba 100644
--- a/app/api/tasks/[id]/route.ts
+++ b/app/api/tasks/[id]/route.ts
@@ -1,6 +1,5 @@
 import { authenticateApiRequest } from '@/lib/api-auth'
 import { prisma } from '@/lib/prisma'
-import { productAccessFilter } from '@/lib/product-access'
 import { z } from 'zod'
 
 const patchSchema = z
@@ -27,12 +26,33 @@ export async function PATCH(
   const { id } = await params
 
   const task = await prisma.task.findFirst({
-    where: { id, story: { product: productAccessFilter(auth.userId) } },
+    where: { id },
+    include: {
+      story: {
+        include: {
+          product: {
+            include: {
+              members: {
+                where: { user_id: auth.userId },
+                select: { id: true },
+              },
+            },
+          },
+        },
+      },
+    },
   })
   if (!task) {
     return Response.json({ error: 'Taak niet gevonden' }, { status: 404 })
   }
 
+  const hasAccess =
+    task.story.product.user_id === auth.userId ||
+    (task.story.product.members?.length ?? 0) > 0
+  if (!hasAccess) {
+    return Response.json({ error: 'Geen toegang' }, { status: 403 })
+  }
+
   const body = await request.json().catch(() => null)
   const parsed = patchSchema.safeParse(body)
   if (!parsed.success) {