diff --git a/app/controllers/api/v2/restful_controller.rb b/app/controllers/api/v2/restful_controller.rb
index b64682f3..7cc6a44c 100644
--- a/app/controllers/api/v2/restful_controller.rb
+++ b/app/controllers/api/v2/restful_controller.rb
@@ -45,7 +45,7 @@ module Api
       end
 
       def current_user
-        super || token_user || doorkeeper_user || nil
+        token_user || super || doorkeeper_user || nil
       end
 
       def load_resource
diff --git a/app/serializers/api/v2/application_serializer.rb b/app/serializers/api/v2/application_serializer.rb
index 2d7c1b9a..4345c941 100644
--- a/app/serializers/api/v2/application_serializer.rb
+++ b/app/serializers/api/v2/application_serializer.rb
@@ -32,9 +32,11 @@ module Api
           if attr.to_s.pluralize == attr.to_s
             attribute("#{attr.to_s.singularize}_ids".to_sym,
                       opts.merge(unless: -> { embeds.include?(key) })) do
-              object.send(attr).map(&:id)
+              Pundit.policy_scope(scope[:current_user], object.send(attr))&.map(&:id) || []
+            end
+            has_many(attr, opts.merge(if: -> { embeds.include?(key) })) do
+              Pundit.policy_scope(scope[:current_user], object.send(attr)) || []
             end
-            has_many(attr, opts.merge(if: -> { embeds.include?(key) }))
           else
             id_opts = opts.merge(key: "#{key}_id")
             attribute("#{attr}_id".to_sym,