diff --git a/restws.entity.inc b/restws.entity.inc
index c3da46c..fbb645a 100644
--- a/restws.entity.inc
+++ b/restws.entity.inc
@@ -234,6 +234,8 @@ class RestWSEntityResourceController implements RestWSQueryResourceControllerInt
     $offset *= $limit;
     $query->range($offset, $limit);
 
+    $this->nodeAccess($query);
+
     // Catch any errors, like wrong keywords or properties.
     try {
       $query_result = $query->execute();
@@ -260,11 +262,29 @@ class RestWSEntityResourceController implements RestWSQueryResourceControllerInt
       $this->propertyQueryOperation($query, 'Condition', $filter, $value);
     }
     $query->count();
+    $this->nodeAccess($query);
 
     return $query->execute();
   }
 
   /**
+   * Helper function to respect node permission while querying.
+   *
+   * @param EntityFieldQuery $query
+   *   The query object.
+   */
+  protected function nodeAccess(EntityFieldQuery $query) {
+    // Respect node access and filter out unpublished nodes if user lacks
+    // the right permission.
+    if ($this->resource() == 'node') {
+      $query->addTag('access node');
+      if (!user_access('bypass node access')) {
+        $this->propertyQueryOperation($query, 'Condition', 'status', 1);
+      }
+    }
+  }
+
+  /**
    * Implements RestWSQueryResourceControllerInterface::limit().
    */
   public function limit($client_limit = NULL) {
diff --git a/restws.test b/restws.test
index 82645fe..343f2b8 100644
--- a/restws.test
+++ b/restws.test
@@ -337,6 +337,21 @@ class RestWSTestCase extends DrupalWebTestCase {
     $this->assertEqual(sort($role_keys), sort($user_array['roles']), 'User roles are present in the response.');
     $this->assertResponse('200', 'HTTP response code is correct.');
     $this->assertEqual(curl_getinfo($this->curlHandle, CURLINFO_CONTENT_TYPE), 'application/json', 'HTTP content type is correct.');
+
+    // Test node access.
+    $this->drupalCreateNode(array('title' => 'foo', 'status' => 0));
+
+    $this->drupalLogout();
+
+    $account = $this->drupalCreateUser(array('access resource node'));
+    $this->drupalLogin($account);
+
+    $result = $this->httpRequest('node.json', 'GET', $account);
+    $nodes = drupal_json_decode($result);
+    $this->verbose($result);
+    // No node should be returned.
+    $this->assertEqual(count($nodes['list']), 0, 'Unpublished node was successfully hidden.');
+
   }
 
   /**
