diff --git a/lib/Alchemy/Phrasea/Controller/Api/V1Controller.php b/lib/Alchemy/Phrasea/Controller/Api/V1Controller.php
index 1f3f83e9fc..9e35195b5f 100644
--- a/lib/Alchemy/Phrasea/Controller/Api/V1Controller.php
+++ b/lib/Alchemy/Phrasea/Controller/Api/V1Controller.php
@@ -472,8 +472,14 @@ class V1Controller extends Controller
 
     public function getDataboxCollectionAction(Request $request, $base_id)
     {
+        try {
+            $collection = $this->getApplicationBox()->get_collection($base_id);
+        } catch (\RuntimeException $exception) {
+            throw new \HttpException('Collection not found', 404, $exception);
+        }
+
         return Result::create($request, [
-            $this->listCollection($this->app->getApplicationBox()->get_collection($base_id))
+            'collection' => $this->listCollection($collection),
         ])->createResponse();
     }
 
@@ -2513,6 +2519,18 @@ class V1Controller extends Controller
         return null;
     }
 
+    public function ensureAccessToBase(Request $request)
+    {
+        $user = $this->getApiAuthenticatedUser();
+        $base_id = $request->attributes->get('base_id');
+
+        if (!$this->getAclForUser($user)->has_access_to_base($base_id)) {
+            return Result::createError($request, 401, 'You are not authorized')->createResponse();
+        }
+
+        return null;
+    }
+
     public function ensureCanAccessToRecord(Request $request)
     {
         $user = $this->getApiAuthenticatedUser();
diff --git a/lib/Alchemy/Phrasea/ControllerProvider/Api/V1.php b/lib/Alchemy/Phrasea/ControllerProvider/Api/V1.php
index 4f84fa99b6..4d3778670e 100644
--- a/lib/Alchemy/Phrasea/ControllerProvider/Api/V1.php
+++ b/lib/Alchemy/Phrasea/ControllerProvider/Api/V1.php
@@ -72,7 +72,9 @@ class V1 implements ControllerProviderInterface, ServiceProviderInterface
         $controllers->get('/monitor/phraseanet/', 'controller.api.v1:showPhraseanetConfigurationAction')
             ->before('controller.api.v1:ensureAdmin');
 
-        $controllers->get('/collections/{base_id}/', 'controller.api.v1:getDataboxCollectionAction');
+        $controllers->get('/collections/{base_id}/', 'controller.api.v1:getDataboxCollectionAction')
+            ->before('controller.api.v1:ensureAccessToBase')
+            ->assert('base_id', '\d+');
 
         $controllers->get('/databoxes/list/', 'controller.api.v1:listDataboxesAction');
 
diff --git a/lib/classes/appbox.php b/lib/classes/appbox.php
index eaac5de92e..31bb26660f 100644
--- a/lib/classes/appbox.php
+++ b/lib/classes/appbox.php
@@ -257,6 +257,10 @@ class appbox extends base
         return $this->databoxes;
     }
 
+    /**
+     * @param $sbas_id
+     * @return databox
+     */
     public function get_databox($sbas_id)
     {
         $databoxes = $this->get_databoxes();
@@ -268,6 +272,10 @@ class appbox extends base
         return $databoxes[$sbas_id];
     }
 
+    /**
+     * @param int $base_id
+     * @return collection
+     */
     public function get_collection($base_id)
     {
         $sbas_id = phrasea::sbasFromBas($this->app, $base_id);