diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb
index 5ce4ae41..2df3bb5e 100644
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -31,14 +31,13 @@ class ProjectsController < ApplicationController
           @completed_count = current_user.projects.completed.count
           @no_projects = current_user.projects.empty?
           current_user.projects.cache_note_counts
-          @new_project = current_user.projects.build
         end
         format.m     do
           @completed_projects = current_user.projects.completed
           @down_count = @active_projects.size + @hidden_projects.size + @completed_projects.size
           cookies[:mobile_url]= {:value => request.fullpath, :secure => SITE_CONFIG['secure_cookies']}
         end
-        format.xml   { render :xml => @projects.all.to_xml( :except => :user_id )  }
+        format.xml   { render :xml => @projects.to_xml( :except => :user_id )  }
         format.rss   do
           @feed_title = I18n.t('models.project.feed_title')
           @feed_description = I18n.t('models.project.feed_description', :username => current_user.display_name)
diff --git a/test/functional/projects_controller_test.rb b/test/functional/projects_controller_test.rb
index 7ec69685..b78056be 100644
--- a/test/functional/projects_controller_test.rb
+++ b/test/functional/projects_controller_test.rb
@@ -221,5 +221,38 @@ class ProjectsControllerTest < ActionController::TestCase
     assert_equal projects(:gardenclean), exposed_projects[1]
     assert_equal projects(:moremoney), exposed_projects[2]
   end
+
+  # XML (REST API)
+  
+  def test_xml_content
+    login_as(:admin_user)
+    get :index, { :format => "xml" }
+    assert_equal 'application/xml', @response.content_type
+  
+    assert_xml_select 'projects' do
+      assert_select 'project', 3 do
+        assert_select 'name', /.+/
+        assert_select 'state', 'active'
+      end
+    end
+  end
+  
+  def test_xml_not_accessible_to_anonymous_user_without_token
+    login_as nil
+    get :index, { :format => "xml" }
+    assert_response 401
+  end
+  
+  def test_xml_not_accessible_to_anonymous_user_with_invalid_token
+    login_as nil
+    get :index, { :format => "xml", :token => 'foo'  }
+    assert_response 401
+  end
+  
+  def test_xml_not_accessible_to_anonymous_user_with_valid_token
+    login_as nil
+    get :index, { :format => "xml", :token => users(:admin_user).token }
+    assert_response 401
+  end
   
 end