diff --git a/src/middleware/authorisation.js b/src/middleware/authorisation.js
index 01bb67a7..6a9fca2c 100644
--- a/src/middleware/authorisation.js
+++ b/src/middleware/authorisation.js
@@ -43,7 +43,7 @@ function authoriseIP(channel, ctx) {
   if ((channel.whitelist != null ? channel.whitelist.length : undefined) > 0) {
     return Array.from(channel.whitelist).includes(ctx.ip)
   } else {
-    return true // whitelist auth not required
+    return false
   }
 }
 
@@ -52,8 +52,9 @@ export async function authorise(ctx, done) {
 
   if (
     channel != null &&
-    authoriseIP(channel, ctx) &&
-    (channel.authType === 'public' || authoriseClient(channel, ctx))
+    (channel.authType === 'public' ||
+      authoriseClient(channel, ctx) ||
+      authoriseIP(channel, ctx))
   ) {
     // authorisation succeeded
     ctx.authorisedChannel = channel
diff --git a/test/integration/httpTests.js b/test/integration/httpTests.js
index 78c8958e..a676b3a7 100644
--- a/test/integration/httpTests.js
+++ b/test/integration/httpTests.js
@@ -296,13 +296,13 @@ describe('HTTP tests', () => {
         .expect(201)
     })
 
-    it('should deny access on POST - Private Channel with whitelisted IP but incorrect client role', async () => {
+    it('should allow access on POST - Private Channel with whitelisted IP but incorrect client role', async () => {
       await promisify(server.start)({httpPort: SERVER_PORTS.httpPort})
       await request(constants.HTTP_BASE_URL)
         .post('/un-auth')
         .send(testDoc)
         .auth('testApp', 'password')
-        .expect(401)
+        .expect(201)
     })
 
     it('should return 201 CREATED on POST - Private Channel with whitelisted IP and correct client role', async () => {
diff --git a/test/unit/authorisationTest.js b/test/unit/authorisationTest.js
index a343774d..8eb70078 100644
--- a/test/unit/authorisationTest.js
+++ b/test/unit/authorisationTest.js
@@ -235,12 +235,12 @@ describe('Authorisation middleware', () => {
       return actual.should.be.false()
     })
 
-    it('should return true if there are no whitelist entires', () => {
+    it('should return false if there are no whitelist entires', () => {
       const ctx = {ip: '192.168.0.11'}
       const channel = {whitelist: null}
       const authoriseIP = authorisation.__get__('authoriseIP')
       const actual = authoriseIP(channel, ctx)
-      return actual.should.be.true()
+      return actual.should.be.false()
     })
   })
 })