diff --git a/api/auth/containerauth.py b/api/auth/containerauth.py
index 72f7b741f1a9224968bb735b9aff981ba5bd28b3..d7f53feeaf73a6c564b54026ef4f8d5d584a4b54 100644
--- a/api/auth/containerauth.py
+++ b/api/auth/containerauth.py
@@ -14,15 +14,11 @@ def default_container(handler, container=None, target_parent_container=None):
     def g(exec_op):
         def f(method, _id=None, payload=None, unset_payload=None, recursive=False, r_payload=None, replace_metadata=False):
             projection = None
+            additional_error_msg = None
             if method == 'GET' and container.get('public', False):
                 has_access = True
             elif method == 'GET':
-                has_access = True
-                if not _get_access(handler.uid, handler.user_site, container) >= INTEGER_ROLES['ro']:
-                    projection = {
-                        'subject.firstname': 0,
-                        'subject.lastname' : 0
-                    }
+                has_access = _get_access(handler.uid, handler.user_site, container) >= INTEGER_ROLES['ro']
             elif method == 'POST':
                 required_perm = 'rw'
                 if target_parent_container.get('roles'):
@@ -30,10 +26,15 @@ def default_container(handler, container=None, target_parent_container=None):
                     required_perm = 'admin'
                 has_access = _get_access(handler.uid, handler.user_site, target_parent_container) >= INTEGER_ROLES[required_perm]
             elif method == 'DELETE':
+                required_perm = 'rw'
+                if container.get('has_children') is True or container.get('files'):
+                    # If the container has children or files, admin is required to delete
+                    required_perm = 'admin'
+                    additional_error_msg = 'Container is not empty.'
                 if target_parent_container:
-                    has_access = _get_access(handler.uid, handler.user_site, target_parent_container) >= INTEGER_ROLES['admin']
+                    has_access = _get_access(handler.uid, handler.user_site, target_parent_container) >= INTEGER_ROLES[required_perm]
                 else:
-                    has_access = _get_access(handler.uid, handler.user_site, container) >= INTEGER_ROLES['admin']
+                    has_access = _get_access(handler.uid, handler.user_site, container) >= INTEGER_ROLES[required_perm]
             elif method == 'PUT' and target_parent_container is not None:
                 has_access = (
                     _get_access(handler.uid, handler.user_site, container) >= INTEGER_ROLES['admin'] and
@@ -50,7 +51,10 @@ def default_container(handler, container=None, target_parent_container=None):
             if has_access:
                 return exec_op(method, _id=_id, payload=payload, unset_payload=unset_payload, recursive=recursive, r_payload=r_payload, replace_metadata=replace_metadata, projection=projection)
             else:
-                handler.abort(403, 'user not authorized to perform a {} operation on the container'.format(method))
+                error_msg = 'user not authorized to perform a {} operation on the container.'.format(method)
+                if additional_error_msg:
+                    error_msg += ' '+additional_error_msg
+                handler.abort(403, error_msg)
         return f
     return g
 
diff --git a/api/handlers/containerhandler.py b/api/handlers/containerhandler.py
index 3628280d4bcfc136589290fb004b1bbb950acf9c..3819940c9ac63daa026280b317eb6eea5e6ac1e4 100644
--- a/api/handlers/containerhandler.py
+++ b/api/handlers/containerhandler.py
@@ -175,9 +175,10 @@ class ContainerHandler(base.RequestHandler):
         # Only enabled for sessions container type per url rule in api.py
         self.config = self.container_handler_configurations["sessions"]
         self.storage = self.config['storage']
-        cont = self._get_container(cid, projection={'permissions': 0, 'files': 0, 'metadata': 0}, get_children=True)
+        cont = self._get_container(cid, projection={'files': 0, 'metadata': 0}, get_children=True)
 
         permchecker = self._get_permchecker(cont)
+
         permchecker(noop)('GET', cid)
 
         analyses = cont.get('analyses', [])
@@ -219,6 +220,9 @@ class ContainerHandler(base.RequestHandler):
         if join_cont:
             # create a map of analyses and acquisitions by _id
             containers = dict((str(c['_id']), c) for c in analyses+acquisitions)
+            for c in containers:
+                # No need to return perm arrays
+                c.pop('permissions', None)
             response['containers'] = containers
 
         return response
@@ -427,6 +431,10 @@ class ContainerHandler(base.RequestHandler):
         self.config = self.container_handler_configurations[cont_name]
         self.storage = self.config['storage']
         container= self._get_container(_id)
+        if self.config.get('children_cont'):
+            container['has_children'] = bool(self.storage.get_children(_id))
+        else:
+            container['has_children'] = False
         target_parent_container, _ = self._get_parent_container(container)
         permchecker = self._get_permchecker(container, target_parent_container)
         try: