diff --git a/app/controllers/api/base_controller.rb b/app/controllers/api/base_controller.rb
index 259883f..b225f1d 100644
--- a/app/controllers/api/base_controller.rb
+++ b/app/controllers/api/base_controller.rb
@@ -35,6 +35,10 @@ module Api
       @resource_class ||= resource_name.camelize.constantize
     end
 
+    def resource_scope
+      @resource_scope ||= resource_class.scoped
+    end
+
     protected
 
     def process_resource_error(options = { })
@@ -110,8 +114,8 @@ module Api
       resource = resource_identifying_attributes.find do |key|
         next if key=='id' and params[:id].to_i == 0
         method = "find_by_#{key}"
-        resource_class.respond_to?(method) and
-          (resource = resource_class.send method, params[:id]) and
+        resource_scope.respond_to?(method) and
+          (resource = resource_scope.send method, params[:id]) and
           break resource
       end
 
diff --git a/app/controllers/api/v1/hosts_controller.rb b/app/controllers/api/v1/hosts_controller.rb
index d02d6d1..8154c45 100644
--- a/app/controllers/api/v1/hosts_controller.rb
+++ b/app/controllers/api/v1/hosts_controller.rb
@@ -108,6 +108,11 @@ Return value may either be one of the following:
         @host.request_url = request.host_with_port if @host.respond_to?(:request_url)
       end
 
+      # we need to limit resources for a current user
+      def resource_scope
+        resource_class.my_hosts
+      end
+
     end
   end
 end
diff --git a/test/fixtures/users.yml b/test/fixtures/users.yml
index 20fb7bb..f83c4b2 100644
--- a/test/fixtures/users.yml
+++ b/test/fixtures/users.yml
@@ -18,6 +18,16 @@ two:
   last_login_on: 2009-10-12 21:50:04
   auth_source: one
 
+three:
+  login: thtree
+  firstname: Three
+  lastname: User
+  mail: userthree@someware.com
+  admin: false
+  last_login_on: 2009-10-12 21:50:04
+  auth_source: one
+  filter_on_owner: true
+
 admin:
   login: admin
   firstname: Admin
@@ -49,4 +59,4 @@ apiadmin:
   last_login_on: 2009-10-12 21:50:04
   auth_source: internal
   password_hash: 02d7ff9921071af778ff4f8608579dcd6d80dfba
-  password_salt: 80a167f1effbd82c2485ed81c3cfd68b11bc40dc
\ No newline at end of file
+  password_salt: 80a167f1effbd82c2485ed81c3cfd68b11bc40dc
diff --git a/test/functional/api/v1/hosts_controller_test.rb b/test/functional/api/v1/hosts_controller_test.rb
index a1131f9..f3aa540 100644
--- a/test/functional/api/v1/hosts_controller_test.rb
+++ b/test/functional/api/v1/hosts_controller_test.rb
@@ -63,4 +63,9 @@ class Api::V1::HostsControllerTest < ActionController::TestCase
     assert_response :success
   end
 
+  test "should not allow access to a host out of users hosts scope" do
+    @request.session[:user] = users(:three).id
+    get :show, { :id => hosts(:one).to_param }
+    assert_response :not_found
+  end
 end