--- a/roundup/xmlrpc.py	Tue Oct 19 00:41:29 2010 +0000
+++ b/roundup/xmlrpc.py	Tue Oct 19 15:29:05 2010 +0000
@@ -89,8 +89,15 @@
     def filter(self, classname, search_matches, filterspec,
                sort=[], group=[]):
         cl = self.db.getclass(classname)
+        uid = self.db.getuid()
+        security = self.db.security
+        filterspec = security.filterFilterspec (uid, classname, filterspec)
+        sort = security.filterSortspec (uid, classname, sort)
+        group = security.filterSortspec (uid, classname, group)
         result = cl.filter(search_matches, filterspec, sort=sort, group=group)
-        return result
+        check = security.hasPermission
+        x = [id for id in result if check('View', uid, classname, itemid=id)]
+        return x
 
     def display(self, designator, *properties):
         classname, itemid = hyperdb.splitDesignator(designator)