diff --git a/src/Project/Controllers/ProjectController.cs b/src/Project/Controllers/ProjectController.cs
index 4e96b6a6a31b2eb96b335b381b35370c67da271f..898f51d338605ccecb8c2ba228aa4cb5d9796f14 100644
--- a/src/Project/Controllers/ProjectController.cs
+++ b/src/Project/Controllers/ProjectController.cs
@@ -34,7 +34,7 @@ namespace Coscine.Api.Project.Controllers
         {
             var user = _authenticator.GetUser();
 
-            return Ok(_projectModel.GetWithAccess(user, UserRoles.Owner).ToList()
+            return Ok(_projectModel.GetWithAccess(user, UserRoles.Member, UserRoles.Owner).ToList()
                 .Select((project) => _projectModel.CreateReturnObjectFromDatabaseObject(project)));
 
         }
@@ -164,6 +164,14 @@ namespace Coscine.Api.Project.Controllers
         {
             var user = _authenticator.GetUser();
             var projectObject = ObjectFactory<ProjectObject>.DeserializeFromStream(Request.Body);
+
+            if (projectObject.ParentId != null
+                && projectObject.ParentId != new Guid()
+                && !_projectModel.HasAccess(user, _projectModel.GetById(projectObject.ParentId), UserRoles.Owner))
+            {
+                return Unauthorized("User is not allowed to create SubProjects.");
+            }
+
             var project = _projectModel.StoreFromObject(projectObject, user);
 
             if (projectObject.ParentId != null