diff --git a/app/controllers/api/base_controller.rb b/app/controllers/api/base_controller.rb
index 259883f..b225f1d 100644
--- a/app/controllers/api/base_controller.rb
+++ b/app/controllers/api/base_controller.rb
@@ -35,6 +35,10 @@ module Api
       @resource_class ||= resource_name.camelize.constantize
     end
 
+    def resource_scope
+      @resource_scope ||= resource_class.scoped
+    end
+
     protected
 
     def process_resource_error(options = { })
@@ -110,8 +114,8 @@ module Api
       resource = resource_identifying_attributes.find do |key|
         next if key=='id' and params[:id].to_i == 0
         method = "find_by_#{key}"
-        resource_class.respond_to?(method) and
-          (resource = resource_class.send method, params[:id]) and
+        resource_scope.respond_to?(method) and
+          (resource = resource_scope.send method, params[:id]) and
           break resource
       end
 
diff --git a/app/controllers/api/v1/compute_resources_controller.rb b/app/controllers/api/v1/compute_resources_controller.rb
index 93d3c67..f374721 100644
--- a/app/controllers/api/v1/compute_resources_controller.rb
+++ b/app/controllers/api/v1/compute_resources_controller.rb
@@ -66,6 +66,12 @@ module Api
         process_response @compute_resource.destroy
       end
 
+      private
+
+      def resource_scope
+        resource_class.my_compute_resources
+      end
+
     end
   end
 end
diff --git a/app/controllers/api/v1/hosts_controller.rb b/app/controllers/api/v1/hosts_controller.rb
index d02d6d1..8154c45 100644
--- a/app/controllers/api/v1/hosts_controller.rb
+++ b/app/controllers/api/v1/hosts_controller.rb
@@ -108,6 +108,11 @@ Return value may either be one of the following:
         @host.request_url = request.host_with_port if @host.respond_to?(:request_url)
       end
 
+      # we need to limit resources for a current user
+      def resource_scope
+        resource_class.my_hosts
+      end
+
     end
   end
 end
diff --git a/test/fixtures/roles.yml b/test/fixtures/roles.yml
index c231919..90d1f6f 100644
--- a/test/fixtures/roles.yml
+++ b/test/fixtures/roles.yml
@@ -197,3 +197,11 @@ none_compute_resources:
   permissions: |
     ---
 
+view_compute_resources:
+  name: View compute resources
+  id: "11"
+  builtin: "0"
+  permissions: |
+    ---
+    - :view_compute_resources
+
diff --git a/test/fixtures/user_roles.yml b/test/fixtures/user_roles.yml
new file mode 100644
index 0000000..04de356
--- /dev/null
+++ b/test/fixtures/user_roles.yml
@@ -0,0 +1,11 @@
+user_three_viewer_role:
+  user: three
+  role_id: 5
+
+user_three_anonymous_role:
+  user: three
+  role_id: 7
+
+user_three_view_compute_resources:
+  user: three
+  role_id: 11
diff --git a/test/fixtures/users.yml b/test/fixtures/users.yml
index 20fb7bb..fc9b1f2 100644
--- a/test/fixtures/users.yml
+++ b/test/fixtures/users.yml
@@ -18,6 +18,16 @@ two:
   last_login_on: 2009-10-12 21:50:04
   auth_source: one
 
+three:
+  login: three
+  firstname: Three
+  lastname: User
+  mail: userthree@someware.com
+  admin: false
+  last_login_on: 2009-10-12 21:50:04
+  auth_source: one
+  filter_on_owner: true
+
 admin:
   login: admin
   firstname: Admin
@@ -49,4 +59,4 @@ apiadmin:
   last_login_on: 2009-10-12 21:50:04
   auth_source: internal
   password_hash: 02d7ff9921071af778ff4f8608579dcd6d80dfba
-  password_salt: 80a167f1effbd82c2485ed81c3cfd68b11bc40dc
\ No newline at end of file
+  password_salt: 80a167f1effbd82c2485ed81c3cfd68b11bc40dc
diff --git a/test/functional/api/v1/compute_resources_controller_test.rb b/test/functional/api/v1/compute_resources_controller_test.rb
index 17516e2..1544e8f 100644
--- a/test/functional/api/v1/compute_resources_controller_test.rb
+++ b/test/functional/api/v1/compute_resources_controller_test.rb
@@ -47,4 +47,11 @@ class Api::V1::ComputeResourcesControllerTest < ActionController::TestCase
     assert_response :success
   end
 
+  test "should not allow access to a compute resource out of users compute resources scope" do
+    as_user(:three) do
+      get :show, { :id => compute_resources(:one).to_param }
+    end
+    assert_response :not_found
+  end
+
 end
diff --git a/test/functional/api/v1/hosts_controller_test.rb b/test/functional/api/v1/hosts_controller_test.rb
index a1131f9..40f02aa 100644
--- a/test/functional/api/v1/hosts_controller_test.rb
+++ b/test/functional/api/v1/hosts_controller_test.rb
@@ -63,4 +63,10 @@ class Api::V1::HostsControllerTest < ActionController::TestCase
     assert_response :success
   end
 
+  test "should not allow access to a host out of users hosts scope" do
+    as_user :three do
+      get :show, { :id => hosts(:one).to_param }
+    end
+    assert_response :not_found
+  end
 end