diff --git a/ow_vm_management/__manifest__.py b/ow_vm_management/__manifest__.py
index acdb619..e60fda0 100644
--- a/ow_vm_management/__manifest__.py
+++ b/ow_vm_management/__manifest__.py
@@ -16,6 +16,7 @@
     ],
     'data': [
         'security/ir.model.access.csv',
+        'security/ir.rule.xml',
         'views/vps_server_views.xml',
         'views/res_partner_views.xml',
         'views/portal_templates.xml',
diff --git a/ow_vm_management/controllers/__pycache__/portal.cpython-39.pyc b/ow_vm_management/controllers/__pycache__/portal.cpython-39.pyc
index 2f1acb1..b17e14a 100644
Binary files a/ow_vm_management/controllers/__pycache__/portal.cpython-39.pyc and b/ow_vm_management/controllers/__pycache__/portal.cpython-39.pyc differ
diff --git a/ow_vm_management/controllers/portal.py b/ow_vm_management/controllers/portal.py
index bdefd2a..e477ab1 100644
--- a/ow_vm_management/controllers/portal.py
+++ b/ow_vm_management/controllers/portal.py
@@ -1,27 +1,30 @@
 from odoo import http, _
-from odoo.exceptions import AccessError, MissingError
+from odoo.exceptions import AccessError
 from odoo.http import request
 from odoo.addons.portal.controllers.portal import CustomerPortal, pager as portal_pager
 from odoo.osv.expression import OR
 
-class CustomerPortalVPS(CustomerPortal):
+class VPSPortal(CustomerPortal):
 
     def _prepare_home_portal_values(self, counters):
         values = super()._prepare_home_portal_values(counters)
+        partner = request.env.user.partner_id
+        VPSServer = request.env['vps.server']
         if 'vps_server_count' in counters:
-            values['vps_server_count'] = request.env['vps.server'].search_count([('customer_id', '=', request.env.user.partner_id.id)])
+            values['vps_server_count'] = VPSServer.search_count([('customer_id', '=', partner.id)])
         return values
 
     @http.route(['/my/vps-servers', '/my/vps-servers/page/<int:page>'], type='http', auth="user", website=True)
     def portal_my_vps_servers(self, page=1, date_begin=None, date_end=None, sortby=None, **kw):
         values = self._prepare_portal_layout_values()
+        partner = request.env.user.partner_id
         VPSServer = request.env['vps.server']
 
-        domain = [('customer_id', '=', request.env.user.partner_id.id)]
+        domain = [('customer_id', '=', partner.id)]
 
         searchbar_sortings = {
             'name': {'label': _('Name'), 'order': 'name'},
-            'ip_address': {'label': _('IP Address'), 'order': 'ip_address'},
+            'state': {'label': _('State'), 'order': 'state'},
         }
 
         if not sortby:
@@ -62,28 +65,43 @@ class CustomerPortalVPS(CustomerPortal):
         })
         return request.render("ow_vm_management.portal_my_vps_servers", values)
 
-    @http.route(['/my/vps/<int:vps_id>/restart'], type='http', auth="user", website=True)
-    def portal_restart_vps(self, vps_id, **kw):
+    @http.route(['/my/vps-servers/<int:vps_id>'], type='http', auth="user", website=True)
+    def portal_my_vps_server(self, vps_id, **kw):
         try:
-            vps_sudo = request.env['vps.server'].sudo().browse(vps_id)
-            vps_sudo.action_restart_from_portal()
-            return request.redirect(vps_sudo.get_portal_url())
+            vps_sudo = self._document_check_access('vps.server', vps_id)
         except AccessError:
             return request.redirect('/my')
-        
-    @http.route(['/my/vps-servers/<int:vps_server_id>'], type='http', auth="user", website=True)
-    def portal_my_vps_server(self, vps_server_id=None, access_token=None, **kw):
-        try:
-            vps_server_sudo = self._document_check_access('vps.server', vps_server_id, access_token)
-        except (AccessError, MissingError):
+
+        if vps_sudo.customer_id.id != request.env.user.partner_id.id:
             return request.redirect('/my')
 
-        values = self._vps_server_get_page_view_values(vps_server_sudo, access_token, **kw)
+        values = self._vps_server_get_page_view_values(vps_sudo, **kw)
         return request.render("ow_vm_management.portal_vps_server_page", values)
 
-    def _vps_server_get_page_view_values(self, vps_server, access_token, **kwargs):
+    def _vps_server_get_page_view_values(self, vps_server, access_token=None, **kwargs):
         values = {
             'page_name': 'vps_server',
             'vps_server': vps_server,
         }
-        return self._get_page_view_values(vps_server, access_token, values, 'my_vps_servers_history', False, **kwargs)
\ No newline at end of file
+        return self._get_page_view_values(vps_server, access_token, values, 'my_vps_servers_history', False, **kwargs)
+
+    @http.route(['/my/vps/<int:vps_id>/restart'], type='http', auth="user", website=True)
+    def portal_restart_vps(self, vps_id, **kw):
+        try:
+            vps_sudo = self._document_check_access('vps.server', vps_id)
+            if vps_sudo.customer_id.id != request.env.user.partner_id.id:
+                return request.redirect('/my')
+            vps_sudo.action_restart_from_portal()
+            return request.redirect(vps_sudo.get_portal_url())
+        except AccessError:
+            return request.redirect('/my')
+
+    def _document_check_access(self, model_name, document_id, access_token=None):
+        document = request.env[model_name].sudo().browse(document_id)
+        document_sudo = document.with_user(request.env.user).sudo()
+        try:
+            document_sudo.check_access_rights('read')
+            document_sudo.check_access_rule('read')
+        except AccessError:
+            raise
+        return document_sudo
\ No newline at end of file
diff --git a/ow_vm_management/models/__pycache__/vps_server.cpython-39.pyc b/ow_vm_management/models/__pycache__/vps_server.cpython-39.pyc
index 6748c75..5a8c53b 100644
Binary files a/ow_vm_management/models/__pycache__/vps_server.cpython-39.pyc and b/ow_vm_management/models/__pycache__/vps_server.cpython-39.pyc differ
diff --git a/ow_vm_management/models/vps_server.py b/ow_vm_management/models/vps_server.py
index 1482e8e..c60423d 100644
--- a/ow_vm_management/models/vps_server.py
+++ b/ow_vm_management/models/vps_server.py
@@ -1,5 +1,5 @@
 from odoo import models, fields, api, _
-from odoo.exceptions import UserError
+from odoo.exceptions import UserError, AccessError
 import requests
 import urllib3
 import ipaddress
@@ -89,6 +89,12 @@ class VPSServer(models.Model):
             status = self._proxmox_request('GET', f'nodes/pve/{vm_type}/{vm_id}/status/current')
             server.state = 'running' if status['data']['status'] == 'running' else 'stopped'
 
+    def check_access_rule(self, operation):
+        if self.env.user.has_group('base.group_portal'):
+            if operation != 'read' or self.customer_id != self.env.user.partner_id:
+                raise AccessError(_("You don't have access to this VPS server."))
+        return super(VPSServer, self).check_access_rule(operation)
+
     def action_restart_from_portal(self):
         self.ensure_one()
         if self.env.user.partner_id != self.customer_id:
diff --git a/ow_vm_management/security/ir.rule.xml b/ow_vm_management/security/ir.rule.xml
new file mode 100644
index 0000000..30923a3
--- /dev/null
+++ b/ow_vm_management/security/ir.rule.xml
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="utf-8"?>
+<odoo>
+    <data noupdate="1">
+        <record id="vps_server_portal_rule" model="ir.rule">
+            <field name="name">Portal user can only see own VPS servers</field>
+            <field name="model_id" ref="model_vps_server"/>
+            <field name="domain_force">[('customer_id', '=', user.partner_id.id)]</field>
+            <field name="groups" eval="[(4, ref('base.group_portal'))]"/>
+            <field name="perm_read" eval="True"/>
+            <field name="perm_write" eval="False"/>
+            <field name="perm_create" eval="False"/>
+            <field name="perm_unlink" eval="False"/>
+        </record>
+    </data>
+</odoo>
\ No newline at end of file