diff --git a/atst/domain/authz/decorator.py b/atst/domain/authz/decorator.py
index 17755749..00519308 100644
--- a/atst/domain/authz/decorator.py
+++ b/atst/domain/authz/decorator.py
@@ -5,6 +5,7 @@ from flask import g, current_app as app, request
 from . import user_can_access
 from atst.domain.portfolios import Portfolios
 from atst.domain.task_orders import TaskOrders
+from atst.domain.applications import Applications
 from atst.domain.exceptions import UnauthorizedError
 
 
@@ -16,6 +17,10 @@ def check_access(permission, message, exception, *args, **kwargs):
             g.current_user, kwargs["portfolio_id"]
         )
 
+    if "application_id" in kwargs:
+        application = Applications.get(kwargs["application_id"])
+        access_args["portfolio"] = application.portfolio
+
     if "task_order_id" in kwargs:
         task_order = TaskOrders.get(kwargs["task_order_id"])
         access_args["portfolio"] = task_order.portfolio
diff --git a/tests/routes/portfolios/test_applications.py b/tests/routes/portfolios/test_applications.py
index b6245aaa..e8db5d2f 100644
--- a/tests/routes/portfolios/test_applications.py
+++ b/tests/routes/portfolios/test_applications.py
@@ -157,6 +157,47 @@ def test_user_without_permission_cannot_update_application(client, user_session)
     assert application.description == "Cool stuff happening here!"
 
 
+def test_user_can_only_access_apps_in_their_portfolio(client, user_session):
+    portfolio = PortfolioFactory.create()
+    other_portfolio = PortfolioFactory.create(
+        applications=[
+            {
+                "name": "Awesome Application",
+                "description": "More cool stuff happening here!",
+                "environments": [{"name": "dev"}],
+            }
+        ]
+    )
+    other_application = other_portfolio.applications[0]
+    user_session(portfolio.owner)
+
+    # user can't view application edit form
+    response = client.get(
+        "/portfolios/{}/applications/{}/edit".format(portfolio.id, other_application.id)
+    )
+    assert response.status_code == 404
+
+    # user can't post update application form
+    response = client.post(
+        url_for(
+            "portfolios.update_application",
+            portfolio_id=portfolio.id,
+            application_id=other_application.id,
+        ),
+        data={"name": "New Name", "description": "A new description."},
+        follow_redirects=True,
+    )
+    assert response.status_code == 404
+
+    # user can't view application members
+    response = client.get(
+        "/portfolios/{}/applications/{}/members".format(
+            portfolio.id, other_application.id
+        )
+    )
+    assert response.status_code == 404
+
+
 def create_environment(user):
     portfolio = PortfolioFactory.create()
     portfolio_role = PortfolioRoleFactory.create(portfolio=portfolio, user=user)