diff --git a/src/Blob/Controllers/BlobController.cs b/src/Blob/Controllers/BlobController.cs
index fce117de7946c34e0937797076d9dd7fcf6db0dd..226a8b9f082d11df5e716be83eab154f5fcb5e6b 100644
--- a/src/Blob/Controllers/BlobController.cs
+++ b/src/Blob/Controllers/BlobController.cs
@@ -120,11 +120,14 @@ namespace Coscine.Api.Blob.Controllers
             {
                 return checkResourceId;
             }
-            var checkUser = CheckUser(user, resource);
-            if (checkUser != null)
+
+            // Rights Matrix (https://git.rwth-aachen.de/coscine/docs/private/internal-wiki/-/blob/master/coscine/Definition%20of%20rights%20Matrix.md)
+            // - Resource: View Resource (RCV, Metadatamanager)
+            if (user is null || !_resourceModel.HasAccess(user, resource, UserRoles.Owner, UserRoles.Member, UserRoles.Guest))
             {
-                return checkUser;
+                return Forbid("User does not have permission to download files from the resource.");
             }
+
             try
             {
                 var resourceTypeDefinition = ResourceTypeFactory.Instance.GetResourceType(resource);
@@ -204,10 +207,12 @@ namespace Coscine.Api.Blob.Controllers
             {
                 return checkResourceId;
             }
-            var checkUser = CheckUser(user, resource);
-            if (checkUser != null)
+
+            // Rights Matrix (https://git.rwth-aachen.de/coscine/docs/private/internal-wiki/-/blob/master/coscine/Definition%20of%20rights%20Matrix.md)
+            // - Resource: Change Resource (RCV, Metadatamanager)
+            if (user is null || !_resourceModel.HasAccess(user, resource, UserRoles.Owner, UserRoles.Member))
             {
-                return checkUser;
+                return Forbid("User does not have permission to upload files in the resource.");
             }
 
             if (resource.Archived == "1")
@@ -306,10 +311,12 @@ namespace Coscine.Api.Blob.Controllers
             {
                 return checkResourceId;
             }
-            var checkUser = CheckUser(user, resource);
-            if (checkUser != null)
+
+            // Rights Matrix (https://git.rwth-aachen.de/coscine/docs/private/internal-wiki/-/blob/master/coscine/Definition%20of%20rights%20Matrix.md)
+            // - Resource: Change Resource (RCV, Metadatamanager)
+            if (user is null || !_resourceModel.HasAccess(user, resource, UserRoles.Owner, UserRoles.Member))
             {
-                return checkUser;
+                return Forbid("User does not have permission to delete from the resource.");
             }
 
             if (resource.Archived == "1")
@@ -395,21 +402,6 @@ namespace Coscine.Api.Blob.Controllers
             return null;
         }
 
-        /// <summary>
-        /// Checks if the user has access to the resource
-        /// </summary>
-        /// <param name="user">user</param>
-        /// <param name="resource">resource</param>
-        /// <returns>status code 403 if the user has no access</returns>
-        public IActionResult CheckUser(User user, Resource resource)
-        {
-            if (user == null || !_resourceModel.HasAccess(user, resource, UserRoles.Owner, UserRoles.Member))
-            {
-                return Forbid("User does not have permission to the resource.");
-            }
-            return null;
-        }
-
         /// <summary>
         /// Writes an analytics log entry
         /// </summary>