diff --git a/app/controllers/dmsf_controller.rb b/app/controllers/dmsf_controller.rb
index 7b0b42cd..c1522b81 100644
--- a/app/controllers/dmsf_controller.rb
+++ b/app/controllers/dmsf_controller.rb
@@ -47,7 +47,11 @@ class DmsfController < ApplicationController
   include DmsfQueriesHelper
 
   def permissions
-    render_403 unless DmsfFolder.permissions?(@folder, false)
+    if !DmsfFolder.permissions?(@folder, false)
+      render_403
+    elsif(@folder && (@folder.project != @project))
+      render_404
+    end
     true
   end
 
diff --git a/test/functional/dmsf_controller_test.rb b/test/functional/dmsf_controller_test.rb
index e5f28903..45e3f4bd 100644
--- a/test/functional/dmsf_controller_test.rb
+++ b/test/functional/dmsf_controller_test.rb
@@ -250,10 +250,9 @@ class DmsfControllerTest < RedmineDmsf::Test::TestCase
   end
 
   def test_show_folder_doesnt_correspond_the_project
-    # Despite the fact that project != @folder3.project
     assert @project1 != @folder3.project
     get :show, params: { id: @project1.id, folder_id: @folder3.id }
-    assert_response :success
+    assert_response :not_found
   end
 
   def test_new_forbidden