diff --git a/src/Project/Controllers/ProjectController.cs b/src/Project/Controllers/ProjectController.cs
index a6dad85b02a4b47b457181ee881bd1c407d5219f..507c321276db5cd32c5879c9cb4055004bb7062b 100644
--- a/src/Project/Controllers/ProjectController.cs
+++ b/src/Project/Controllers/ProjectController.cs
@@ -19,7 +19,7 @@ namespace Coscine.Api.Project.Controllers
         private readonly Authenticator _authenticator;
         private readonly ProjectModel _projectModel;
         private readonly IConfiguration _configuration;
-        private readonly Emitter _emitter; 
+        private readonly Emitter _emitter;
 
         public ProjectController()
         {
@@ -176,7 +176,7 @@ namespace Coscine.Api.Project.Controllers
 
             var project = _projectModel.StoreFromObject(projectObject, user);
 
-            if (projectObject.ParentId != null 
+            if (projectObject.ParentId != null
                 && projectObject.ParentId != new Guid()
                 // for now, only an owner can add subprojects to projects
                 && _projectModel.HasAccess(user, _projectModel.GetById(projectObject.ParentId), UserRoles.Owner))
diff --git a/src/Project/Controllers/SubProjectController.cs b/src/Project/Controllers/SubProjectController.cs
index a9f95638a2aa661ea43f2995f478e95f616cae5a..812da5778065382280ea15eeeb8658902c6f21a3 100644
--- a/src/Project/Controllers/SubProjectController.cs
+++ b/src/Project/Controllers/SubProjectController.cs
@@ -24,10 +24,19 @@ namespace Coscine.Api.Project.Controllers
         {
             var parentGuid = new Guid(parentId);
             var projectModel = new ProjectModel();
+            var projectRoleModel = new ProjectRoleModel();
             var user = _authenticator.GetUser();
-            if (projectModel.HasAccess(user, projectModel.GetById(parentGuid), UserRoles.Owner, UserRoles.Member))
+            string[] allowedRoles = { UserRoles.Owner, UserRoles.Member };
+            allowedRoles = allowedRoles.Select(x => x.ToLower().Trim()).ToArray();
+            if (projectModel.HasAccess(user, projectModel.GetById(parentGuid), allowedRoles))
             {
-                var subProjects = _subProjectModel.GetAllWhere((subProjectM) => (subProjectM.ProjectId == parentGuid))
+                var subProjects = _subProjectModel.GetAllWhere((subProjectM) => (subProjectM.ProjectId == parentGuid 
+                                                                                 // select only subprojects to which the user has access
+                                                                                 && (from projectRole in subProjectM.SubProject_FK.ProjectRolesProjectIdIds
+                                                                                     where projectRole.User.Id == user.Id 
+                                                                                     && allowedRoles.Contains(projectRole.Role.DisplayName.ToLower())
+                                                                                     select projectRole).Any())
+                                                                                 )
                                                     .Select((subProject) => projectModel.GetById(subProject.SubProjectId))
                                                     .Select((project) => projectModel.CreateReturnObjectFromDatabaseObject(project, parentGuid))
                                                     .OrderBy(element => element.DisplayName);
diff --git a/src/Project/Models/ProjectModel.cs b/src/Project/Models/ProjectModel.cs
index db9f51de3c641115ea08d9997d101c8f071f9048..97c7431977fb9d9fb98b629134d8468fad84b670 100644
--- a/src/Project/Models/ProjectModel.cs
+++ b/src/Project/Models/ProjectModel.cs
@@ -123,7 +123,16 @@ namespace Coscine.Api.Project.Models
             var allUserProjectRoles = projectRoleModel.GetAllWhere((projectRoleRelation) => projectRoleRelation.UserId == user.Id &&
                                                                                             allowedAccess.Contains(projectRoleRelation.Role.DisplayName.ToLower()));
             var allowedProjectIds = allUserProjectRoles.Select((projectRole) => projectRole.ProjectId);
-            var allowedProjects = projectModel.GetAllWhere((project) => allowedProjectIds.Contains(project.Id));
+            var allowedProjects = projectModel.GetAllWhere((project) => allowedProjectIds.Contains(project.Id)
+                                                                        && ((!project.SubProjectsSubProjectIdIds.Any()) // get top level projects not having any parent projects
+                                                                            || !(from subProject in project.SubProjectsSubProjectIdIds // check if the direct parent project is accessible to the current user
+                                                                                where (from parentProjectRole in subProject.Project.ProjectRolesProjectIdIds
+                                                                                        where parentProjectRole.UserId == user.Id
+                                                                                        && allowedAccess.Contains(parentProjectRole.Role.DisplayName.ToLower())
+                                                                                        select parentProjectRole).Any()
+                                                                                select subProject).Any())
+                                                            );
+
             return allowedProjects.ToList();
         }