diff --git a/tests/test_portal_scope.py b/tests/test_portal_scope.py
new file mode 100644
index 0000000..cd52268
--- /dev/null
+++ b/tests/test_portal_scope.py
@@ -0,0 +1,31 @@
+import uuid
+from datetime import datetime
+from tests.conftest import make_project
+from backend import portal_auth as pa
+from backend.auth_passwords import hash_password
+from backend.models import MonitoringLocation
+
+
+def _sound_location(db_session, project):
+    loc = MonitoringLocation(
+        id=str(uuid.uuid4()), project_id=project.id, name="Site",
+        location_type="sound", created_at=datetime.utcnow(),
+        sort_order=0)
+    db_session.add(loc)
+    db_session.commit()
+    return loc
+
+
+def test_session_for_A_cannot_open_B_location(client, db_session):
+    a = make_project(db_session, portal_enabled=True, portal_link_token="ta",
+                     portal_password_hash=hash_password("pw"))
+    b = make_project(db_session)
+    b_loc = _sound_location(db_session, b)
+
+    # Establish an A session
+    r = client.post("/portal/p/ta", data={"password": "pw"}, follow_redirects=False)
+    assert r.status_code == 303
+
+    # Try to open B's location page → 404 (not 403), no leak
+    r2 = client.get(f"/portal/location/{b_loc.id}")
+    assert r2.status_code == 404