diff --git a/lib/api.rb b/lib/api.rb
index ab5b02e0556..4fdc3273a0e 100644
--- a/lib/api.rb
+++ b/lib/api.rb
@@ -41,19 +41,19 @@ module Gitlab
 
       # GET /projects/:id
       get ":id" do
-        @project = Project.find_by_code(params[:id])
+        @project = current_user.projects.find_by_code(params[:id])
         present @project, :with => Entities::Project
       end
 
       # GET /projects/:id/repository/branches
       get ":id/repository/branches" do
-        @project = Project.find_by_code(params[:id])
+        @project = current_user.projects.find_by_code(params[:id])
         present @project.repo.heads.sort_by(&:name), :with => Entities::ProjectRepositoryBranches
       end
 
       # GET /projects/:id/repository/tags
       get ":id/repository/tags" do
-        @project = Project.find_by_code(params[:id])
+        @project = current_user.projects.find_by_code(params[:id])
         present @project.repo.tags.sort_by(&:name).reverse, :with => Entities::ProjectRepositoryTags
       end
     end
diff --git a/spec/api/projects_spec.rb b/spec/api/projects_spec.rb
index 2d1043f961e..e4835736b8c 100644
--- a/spec/api/projects_spec.rb
+++ b/spec/api/projects_spec.rb
@@ -3,10 +3,9 @@ require 'spec_helper'
 describe Gitlab::API do
   let(:user) { Factory :user }
   let!(:project) { Factory :project, :owner => user }
+  before { project.add_access(user, :read) }
 
   describe "GET /projects" do
-    before { project.add_access(user, :read) }
-
     it "should return authentication error" do
       get "/api/projects"
       response.status.should == 401