diff --git a/src/Umbraco.Web/Trees/LegacyTreeController.cs b/src/Umbraco.Web/Trees/LegacyTreeController.cs
index a3475ce0bd..cf8d90e0c4 100644
--- a/src/Umbraco.Web/Trees/LegacyTreeController.cs
+++ b/src/Umbraco.Web/Trees/LegacyTreeController.cs
@@ -19,7 +19,7 @@ namespace Umbraco.Web.Trees
/// This is used to output JSON from legacy trees
///
[PluginController("UmbracoTrees")]
- //public class LegacyTreeController : UmbracoAuthorizedApiController
+ [LegacyTreeAuthorizeAttribute]
public class LegacyTreeController : TreeControllerBase
{
private readonly XmlTreeNode _xmlTreeNode;
diff --git a/src/Umbraco.Web/Umbraco.Web.csproj b/src/Umbraco.Web/Umbraco.Web.csproj
index 22cf8b3965..85bc54c778 100644
--- a/src/Umbraco.Web/Umbraco.Web.csproj
+++ b/src/Umbraco.Web/Umbraco.Web.csproj
@@ -552,6 +552,7 @@
+
@@ -2158,4 +2159,4 @@
-
+
\ No newline at end of file
diff --git a/src/Umbraco.Web/WebApi/Filters/LegacyTreeAuthorizeAttribute.cs b/src/Umbraco.Web/WebApi/Filters/LegacyTreeAuthorizeAttribute.cs
new file mode 100644
index 0000000000..a337b36989
--- /dev/null
+++ b/src/Umbraco.Web/WebApi/Filters/LegacyTreeAuthorizeAttribute.cs
@@ -0,0 +1,28 @@
+using System.Web.Http;
+using System.Web.Http.Controllers;
+using Umbraco.Core;
+
+namespace Umbraco.Web.WebApi.Filters
+{
+ internal class LegacyTreeAuthorizeAttribute : AuthorizeAttribute
+ {
+ protected override bool IsAuthorized(HttpActionContext actionContext)
+ {
+ var httpContext = actionContext.Request.TryGetHttpContext();
+ if (httpContext)
+ {
+ var treeRequest = httpContext.Result.Request.QueryString["treeType"];
+ if (treeRequest.IsNullOrWhiteSpace()) return false;
+
+ var tree = ApplicationContext.Current.Services.ApplicationTreeService.GetByAlias(treeRequest);
+ if (tree == null) return false;
+
+ return UmbracoContext.Current.Security.CurrentUser != null
+ && UmbracoContext.Current.Security.UserHasAppAccess(tree.ApplicationAlias, UmbracoContext.Current.Security.CurrentUser);
+ }
+ return false;
+
+
+ }
+ }
+}
\ No newline at end of file