diff --git a/endpoints/api.py b/endpoints/api.py
index 3e188f765..7f901262c 100644
--- a/endpoints/api.py
+++ b/endpoints/api.py
@@ -202,14 +202,15 @@ def get_matching_entities(prefix):
   organization_name = request.args.get('organization', None)
   organization = None
   if organization_name:
-    try:
-      organization = model.get_organization(organization_name)
-    except:
-      pass
+    permission = OrganizationMemberPermission(organization_name)
+    if permission.can():
+      try:
+        organization = model.get_organization(organization_name)
+      except:
+        pass
 
-    if organization:
-      # TODO: ensure that the user has access to the organization
-      teams = model.get_matching_teams(prefix, organization)
+      if organization:
+        teams = model.get_matching_teams(prefix, organization)
 
   users = model.get_matching_users(prefix, organization)
 
@@ -221,8 +222,6 @@ def get_matching_entities(prefix):
     }
 
   def user_view(user):
-    # TODO: Return whether the user is outside the organization (if one is
-    # specified)
     return {
       'name': user.username,
       'kind': 'user',