diff --git a/code/RestfulServer.php b/code/RestfulServer.php
index 3dba5ff..0f4fa78 100644
--- a/code/RestfulServer.php
+++ b/code/RestfulServer.php
@@ -178,7 +178,9 @@ class RestfulServer extends Controller {
 
 		if($obj instanceof SS_List) {
 			$responseFormatter->setTotalSize($obj->dataQuery()->query()->unlimitedRowCount());
-			return $responseFormatter->convertDataObjectSet($obj, $fields);
+			$objs = new ArrayList($obj->toArray());
+			foreach($objs as $obj) if(!$obj->canView()) $objs->remove($obj);
+			return $responseFormatter->convertDataObjectSet($objs, $fields);
 		} else if(!$obj) {
 			$responseFormatter->setTotalSize(0);
 			return $responseFormatter->convertDataObjectSet(new ArrayList(), $fields);
diff --git a/tests/RestfulServerTest.php b/tests/RestfulServerTest.php
index 7980a18..0535d90 100644
--- a/tests/RestfulServerTest.php
+++ b/tests/RestfulServerTest.php
@@ -54,7 +54,7 @@ class RestfulServerTest extends SapphireTest {
 	public function testAuthenticatedGET() {
 		$thing1 = $this->objFromFixture('RestfulServerTest_SecretThing', 'thing1');
 		$comment1 = $this->objFromFixture('RestfulServerTest_Comment', 'comment1');
-		
+
 		// @todo create additional mock object with authenticated VIEW permissions
 		$url = "/api/v1/RestfulServerTest_SecretThing/" . $thing1->ID;
 		$response = Director::test($url, null, null, 'GET');
@@ -417,6 +417,30 @@ class RestfulServerTest extends SapphireTest {
 		$this->assertEquals($responseArr['Rating'], 42);
 		$this->assertNotEquals($responseArr['WriteProtectedField'], 'haxx0red');
 	}
+
+	public function testCanViewRespectedInList() {
+		// Default content type
+		$url = "/api/v1/RestfulServerTest_SecretThing/";
+		$response = Director::test($url, null, null, 'GET');
+		$this->assertEquals($response->getStatusCode(), 200);
+		$this->assertNotContains('Unspeakable', $response->getBody());
+
+		// JSON content type
+		$url = "/api/v1/RestfulServerTest_SecretThing.json";
+		$response = Director::test($url, null, null, 'GET');
+		$this->assertEquals($response->getStatusCode(), 200);
+		$this->assertNotContains('Unspeakable', $response->getBody());
+
+		// With authentication
+		$_SERVER['PHP_AUTH_USER'] = 'editor@test.com';
+		$_SERVER['PHP_AUTH_PW'] = 'editor';
+		$url = "/api/v1/RestfulServerTest_SecretThing/";
+		$response = Director::test($url, null, null, 'GET');
+		$this->assertEquals($response->getStatusCode(), 200);
+		$this->assertContains('Unspeakable', $response->getBody());
+		unset($_SERVER['PHP_AUTH_USER']);
+		unset($_SERVER['PHP_AUTH_PW']);
+	}
 	
 }