=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/AbstractCrudController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/AbstractCrudController.java	2015-06-10 12:17:45 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/AbstractCrudController.java	2015-06-11 02:45:21 +0000
@@ -167,6 +167,11 @@
         WebOptions options = new WebOptions( rpParameters );
         WebMetaData metaData = new WebMetaData();
 
+        if ( !aclService.canRead( currentUserService.getCurrentUser(), getEntityClass() ) )
+        {
+            throw new ReadAccessDeniedException( "You don't have the proper permissions to read objects of this type." );
+        }
+
         if ( fields.isEmpty() )
         {
             fields.add( ":identifiable" );
@@ -216,6 +221,11 @@
         TranslateOptions translateOptions,
         HttpServletRequest request, HttpServletResponse response ) throws Exception
     {
+        if ( !aclService.canRead( currentUserService.getCurrentUser(), getEntityClass() ) )
+        {
+            throw new ReadAccessDeniedException( "You don't have the proper permissions to read objects of this type." );
+        }
+
         List<String> fields = Lists.newArrayList( contextService.getParameterValues( "fields" ) );
         List<String> filters = Lists.newArrayList( contextService.getParameterValues( "filter" ) );
 
@@ -234,6 +244,11 @@
         TranslateOptions translateOptions,
         HttpServletRequest request, HttpServletResponse response ) throws Exception
     {
+        if ( !aclService.canRead( currentUserService.getCurrentUser(), getEntityClass() ) )
+        {
+            throw new ReadAccessDeniedException( "You don't have the proper permissions to read objects of this type." );
+        }
+
         List<String> fields = Lists.newArrayList( contextService.getParameterValues( "fields" ) );
 
         if ( fields.isEmpty() )
@@ -633,6 +648,11 @@
         TranslateOptions translateOptions,
         HttpServletRequest request, HttpServletResponse response ) throws Exception
     {
+        if ( !aclService.canRead( currentUserService.getCurrentUser(), getEntityClass() ) )
+        {
+            throw new ReadAccessDeniedException( "You don't have the proper permissions to read objects of this type." );
+        }
+
         RootNode rootNode = getObjectInternal( pvUid, parameters, Lists.<String>newArrayList(), Lists.newArrayList( pvProperty + "[:all]" ), translateOptions );
 
         // TODO optimize this using field filter (collection filtering)