diff --git a/src/api/controllers/Boards.php b/src/api/controllers/Boards.php
index 1db036f..0282091 100644
--- a/src/api/controllers/Boards.php
+++ b/src/api/controllers/Boards.php
@@ -16,11 +16,13 @@ class Boards extends BaseController {
             $this->apiJson->setSuccess();
 
             foreach($boardBeans as $bean) {
-                // TODO: Filter boards to those where the user is a member
                 $board = new Board($this->container);
                 $board->loadFromBean($bean);
 
-                $this->apiJson->addData($board);
+                if (Auth::HasBoardAccess($this->container,
+                        $request, $board->id)) {
+                    $this->apiJson->addData($board);
+                }
             }
         } else {
             $this->logger->addInfo('No boards in database.');
@@ -38,7 +40,6 @@ class Boards extends BaseController {
         }
 
         $board = new Board($this->container, (int)$args['id']);
-        // TODO: Filter boards to those where the user is a member
 
         if ($board->id === 0) {
             $this->logger->addError('Attempt to load board ' . $args['id'] .
@@ -49,6 +50,10 @@ class Boards extends BaseController {
             return $this->jsonResponse($response);
         }
 
+        if (!$this->checkBoardAccess($board->id, $request)) {
+            return $this->jsonResponse($response, 403);
+        }
+
         $this->apiJson->setSuccess();
         $this->apiJson->addData($board);
 
@@ -93,7 +98,10 @@ class Boards extends BaseController {
         }
 
         $board = new Board($this->container, (int)$args['id']);
-        // TODO: Filter boards to those where the user is a member
+
+        if (!$this->checkBoardAccess($board->id, $request)) {
+            return $this->jsonResponse($response, 403);
+        }
 
         $update = new Board($this->container);
         $update->loadFromJson($request->getBody());
@@ -131,6 +139,10 @@ class Boards extends BaseController {
         $id = (int)$args['id'];
         $board = new Board($this->container, $id);
 
+        if (!$this->checkBoardAccess($board->id, $request)) {
+            return $this->jsonResponse($response, 403);
+        }
+
         if ($board->id !== $id) {
             $this->logger->addError('Remove Board: ', [$board]);
             $this->apiJson->addAlert('error', 'Error removing board. ' .
diff --git a/test/api/controllers/AttachmentsTest.php b/test/api/controllers/AttachmentsTest.php
index 96d4142..dda93e3 100644
--- a/test/api/controllers/AttachmentsTest.php
+++ b/test/api/controllers/AttachmentsTest.php
@@ -1,9 +1,6 @@
 <?php
 require_once __DIR__ . '/../Mocks.php';
 
-    /**
-     * @group single
-     */
 class AttachmentsTest extends PHPUnit_Framework_TestCase {
     private $attachments;
 
diff --git a/test/api/controllers/BoardsTest.php b/test/api/controllers/BoardsTest.php
index 4ecf2ef..c59a2de 100644
--- a/test/api/controllers/BoardsTest.php
+++ b/test/api/controllers/BoardsTest.php
@@ -1,6 +1,9 @@
 <?php
 require_once __DIR__ . '/../Mocks.php';
 
+    /**
+     * @group single
+     */
 class BoardsTest extends PHPUnit_Framework_TestCase {
     private $boards;
 
@@ -82,6 +85,25 @@ class BoardsTest extends PHPUnit_Framework_TestCase {
             $actual->alerts[0]['text']);
     }
 
+    public function testGetBoardForbidden() {
+        $this->createBoard();
+
+        DataMock::createBoardAdminUser();
+
+        $args = [];
+        $args['id'] = 1;
+
+        $request = new RequestMock();
+        $request->header = [DataMock::getJwt(2)];
+
+        $this->boards = new Boards(new ContainerMock());
+
+        $actual = $this->boards->getBoard($request,
+            new ResponseMock(), $args);
+        $this->assertEquals('Access restricted.',
+            $actual->alerts[0]['text']);
+    }
+
     public function testAddRemoveBoard() {
         $actual = $this->createBoard();
 
@@ -186,6 +208,29 @@ class BoardsTest extends PHPUnit_Framework_TestCase {
         $this->assertEquals('failure', $response->status);
     }
 
+    public function testUpdateBoardForbidden() {
+        $this->createBoard();
+
+        DataMock::createBoardAdminUser();
+
+        $board = DataMock::getBoard();
+        $board->is_active = false;
+
+        $args = [];
+        $args['id'] = $board->id;
+
+        $this->boards = new Boards(new ContainerMock());
+
+        $request = new RequestMock();
+        $request->payload = $board;
+        $request->header = [DataMock::getJwt(2)];
+
+        $actual = $this->boards->updateBoard($request,
+            new ResponseMock(), $args);
+        $this->assertEquals('Access restricted.',
+            $actual->alerts[0]['text']);
+    }
+
     private function createBoard() {
         $request = new RequestMock();
         $request->header = [DataMock::getJwt()];