diff --git a/src/applications/meta/controller/PhabricatorApplicationEditController.php b/src/applications/meta/controller/PhabricatorApplicationEditController.php
index 9c01268891..d401f4f8c5 100644
--- a/src/applications/meta/controller/PhabricatorApplicationEditController.php
+++ b/src/applications/meta/controller/PhabricatorApplicationEditController.php
@@ -75,6 +75,19 @@ final class PhabricatorApplicationEditController
 
         $value[$phid]['policy'] = $result + $value[$phid]['policy'];
 
+        // Don't allow users to make policy edits which would lock them out of
+        // applications, since they would be unable to undo those actions.
+        PhabricatorEnv::overrideConfig($key, $value);
+        PhabricatorPolicyFilter::mustRetainCapability(
+          $user,
+          $application,
+          PhabricatorPolicyCapability::CAN_VIEW);
+
+        PhabricatorPolicyFilter::mustRetainCapability(
+          $user,
+          $application,
+          PhabricatorPolicyCapability::CAN_EDIT);
+
         PhabricatorConfigEditor::storeNewValue(
           $config_entry,
           $value,