diff --git a/lib/main/tests/projects.py b/lib/main/tests/projects.py
index 93094a2981..d8bb6893fc 100644
--- a/lib/main/tests/projects.py
+++ b/lib/main/tests/projects.py
@@ -322,9 +322,9 @@ class ProjectsTest(BaseTest):
         # can list credentials on a team
         self.get(team_creds, expect=401)
         self.get(team_creds, expect=401, auth=self.get_invalid_credentials())
-        self.get(team_creds, expect=201, auth=self.get_super_credentials())
-        self.get(team_creds, expect=201, auth=self.get_normal_credentials())
-        self.get(team_creds, expect=201, auth=self.get_other_credentials())
+        self.get(team_creds, expect=200, auth=self.get_super_credentials())
+        self.get(team_creds, expect=200, auth=self.get_normal_credentials())
+        self.get(team_creds, expect=403, auth=self.get_other_credentials())
         self.get(team_creds, expect=403, auth=self.get_nobody_credentials())
 
         # can edit a credential
diff --git a/lib/main/views.py b/lib/main/views.py
index 056d43a22e..1623455cc2 100644
--- a/lib/main/views.py
+++ b/lib/main/views.py
@@ -226,12 +226,13 @@ class TeamsCredentialsList(BaseSubList):
 
     def _get_queryset(self):
         team = Team.objects.get(pk=self.kwargs['pk'])
-        if not Team.can_user_read(self.request.user, team):
-            raise PermissionDenied()
+        if not Team.can_user_administrate(self.request.user, team):
+            if not (self.request.user.is_superuser or self.request.user in team.users.all()):
+                raise PermissionDenied()
         project_credentials = Credential.objects.filter(
-            projects__team__users__in = [ user ]
+            team = team
         )
-        return user.credentials.distinct() | project_credentials.distinct()
+        return project_credentials.distinct()
 
 
 class ProjectsList(BaseList):