Index: src/applications/conduit/call/ConduitCall.php
===================================================================
--- src/applications/conduit/call/ConduitCall.php
+++ src/applications/conduit/call/ConduitCall.php
@@ -79,12 +79,35 @@
   }
 
   public function execute() {
-    if (!$this->getUser()) {
-      if ($this->shouldRequireAuthentication()) {
+    $user = $this->getUser();
+    if (!$user) {
+      $user = new PhabricatorUser();
+    }
+
+    $this->request->setUser($user);
+
+    if ($this->shouldRequireAuthentication()) {
+      if (!$user->isLoggedIn()) {
         throw new ConduitException("ERR-INVALID-AUTH");
       }
-    } else {
-      $this->request->setUser($this->getUser());
+
+      // TODO: This would be slightly cleaner by just using a Query, but the
+      // Conduit auth workflow requires the Call and User be built separately.
+      // Just do it this way for the moment.
+      $application = $this->handler->getApplication();
+      if ($application) {
+        $can_view = PhabricatorPolicyFilter::hasCapability(
+          $user,
+          $application,
+          PhabricatorPolicyCapability::CAN_VIEW);
+
+        if (!$can_view) {
+          throw new ConduitException(
+            pht(
+              "You do not have access to the application which provides this ".
+              "API method."));
+        }
+      }
     }
 
     if (!$this->shouldForceLocal() && $this->servers) {
Index: src/applications/conduit/method/ConduitAPIMethod.php
===================================================================
--- src/applications/conduit/method/ConduitAPIMethod.php
+++ src/applications/conduit/method/ConduitAPIMethod.php
@@ -177,14 +177,24 @@
   }
 
   public function getPolicy($capability) {
-    return PhabricatorPolicies::POLICY_USER;
+    // Application methods get application visibility; other methods get open
+    // visibility.
+
+    $application = $this->getApplication();
+    if ($application) {
+      return $application->getPolicy($capability);
+    }
+
+    return PhabricatorPolicies::getMostOpenPolicy();
   }
 
   public function hasAutomaticCapability($capability, PhabricatorUser $viewer) {
-    // The policy interface on Conduit calls is currently just to let us hook
-    // into ApplicationSearch. Calls are always visible (even to logged out
-    // users).
-    return true;
+    if (!$this->shouldRequireAuthentication()) {
+      // Make unauthenticated methods univerally visible.
+      return true;
+    }
+
+    return false;
   }
 
   public function describeAutomaticCapability($capability) {