diff --git a/server/middleware/src/private.ts b/server/middleware/src/private.ts
index f1d85e0a73..cc9400cc6b 100644
--- a/server/middleware/src/private.ts
+++ b/server/middleware/src/private.ts
@@ -16,6 +16,7 @@
 import core, {
   AttachedDoc,
   Class,
+  DOMAIN_TX,
   Doc,
   DocumentQuery,
   FindOptions,
@@ -71,7 +72,8 @@ export class PrivateMiddleware extends BaseMiddleware implements Middleware {
     options?: FindOptions<T>
   ): Promise<FindResult<T>> {
     let newQuery = query
-    const domain = this.storage.hierarchy.getDomain(_class)
+    const hierarchy = this.storage.hierarchy
+    const domain = hierarchy.getDomain(_class)
     if (this.targetDomains.includes(domain)) {
       const account = await getUser(this.storage, ctx)
       if (account._id !== core.account.System) {
@@ -82,6 +84,23 @@ export class PrivateMiddleware extends BaseMiddleware implements Middleware {
       }
     }
     const findResult = await this.provideFindAll(ctx, _class, newQuery, options)
+    if (domain === DOMAIN_TX) {
+      const account = await getUser(this.storage, ctx)
+      if (account._id !== core.account.System) {
+        const targetClasses = new Set(
+          hierarchy.getDescendants(core.class.Doc).filter((p) => {
+            const domain = hierarchy.findDomain(p)
+            return domain != null && this.targetDomains.includes(domain)
+          })
+        )
+        ;(findResult as FindResult<Doc> as FindResult<Tx>).filter(
+          (p) =>
+            !hierarchy.isDerived(p._class, core.class.TxCUD) ||
+            !targetClasses.has((p as TxCUD<Doc>).objectClass) ||
+            p.modifiedBy === account._id
+        )
+      }
+    }
     if (options?.lookup !== undefined) {
       for (const object of findResult) {
         if (object.$lookup !== undefined) {
diff --git a/server/middleware/src/spaceSecurity.ts b/server/middleware/src/spaceSecurity.ts
index 5473bd025b..f019a691ca 100644
--- a/server/middleware/src/spaceSecurity.ts
+++ b/server/middleware/src/spaceSecurity.ts
@@ -238,16 +238,26 @@ export class SpaceSecurityMiddleware extends BaseMiddleware implements Middlewar
       if (isSpace) {
         await this.handleTx(ctx, cudTx as TxCUD<Space>)
       }
-      const space = this.privateSpaces[tx.objectSpace]
-      if (space !== undefined) {
-        const account = await getUser(this.storage, ctx)
-        if (!isOwner(account)) {
-          const allowed = this.allowedSpaces[account._id]
-          if (allowed === undefined || !allowed.includes(isSpace ? (cudTx.objectId as Ref<Space>) : tx.objectSpace)) {
-            throw new PlatformError(new Status(Severity.ERROR, platform.status.Forbidden, {}))
+      const account = await getUser(this.storage, ctx)
+      if (tx.objectSpace === (account._id as string)) {
+        targets = [account.email]
+      } else {
+        const space = this.privateSpaces[tx.objectSpace]
+        if (space !== undefined) {
+          targets = await this.getTargets(space.members)
+          if (!isOwner(account)) {
+            const allowed = this.allowedSpaces[account._id]
+            if (allowed === undefined || !allowed.includes(isSpace ? (cudTx.objectId as Ref<Space>) : tx.objectSpace)) {
+              throw new PlatformError(new Status(Severity.ERROR, platform.status.Forbidden, {}))
+            }
+          } else {
+            if (targets === undefined) {
+              targets = [account.email]
+            } else if (!targets.includes(account.email)) {
+              targets.push(account.email)
+            }
           }
         }
-        targets = await this.getTargets(this.privateSpaces[tx.objectSpace]?.members)
       }
     }