diff --git a/app/controllers/context_controller.rb b/app/controllers/context_controller.rb
index 9b517e86d13..5ee5c462c39 100644
--- a/app/controllers/context_controller.rb
+++ b/app/controllers/context_controller.rb
@@ -321,7 +321,7 @@ class ContextController < ApplicationController
       end
       user_id = Shard.relative_id_for(params[:id], Shard.current, @context.shard)
       if @context.is_a?(Course)
-        scope = @context.enrollments.where(user_id: user_id)
+        scope = @context.enrollments_visible_to(@current_user).where(user_id: user_id)
         scope = @context.grants_right?(@current_user, session, :read_as_admin) ? scope.active : scope.active_or_pending
         @membership = scope.first
 
@@ -341,7 +341,7 @@ class ContextController < ApplicationController
         return
       end
 
-      @enrollments = @context.enrollments.for_user(@user) rescue []
+      @enrollments = @context.enrollments_visible_to(@current_user).for_user(@user) rescue []
 
       if @domain_root_account.enable_profiles?
         @user_data = profile_data(
diff --git a/spec/controllers/context_controller_spec.rb b/spec/controllers/context_controller_spec.rb
index df1efd209e5..055ffe1ac68 100644
--- a/spec/controllers/context_controller_spec.rb
+++ b/spec/controllers/context_controller_spec.rb
@@ -158,6 +158,38 @@ describe ContextController do
         expect(response).to be_success
       end
     end
+
+    describe 'section visibility' do
+      before :once do
+        @other_section = @course.course_sections.create! :name => 'Other Section FRD'
+        @course.enroll_teacher(@teacher, :section => @other_section, :allow_multiple_enrollments => true).accept!
+        @other_student = user_factory
+        @course.enroll_student(@other_student, :section => @other_section, :limit_privileges_to_course_section => true).accept!
+      end
+
+      it 'prevents section-limited users from seeing users in other sections' do
+        user_session(@student)
+        get 'roster_user', :course_id => @course.id, :id => @other_student.id
+        expect(response).to be_success
+
+        user_session(@other_student)
+        get 'roster_user', :course_id => @course.id, :id => @student.id
+        expect(response).to be_redirect
+        expect(flash[:error]).to be_present
+      end
+
+      it 'limits enrollments by visibility' do
+        user_session(@student)
+        get 'roster_user', :course_id => @course.id, :id => @teacher.id
+        expect(response).to be_success
+        expect(assigns[:enrollments].map(&:course_section_id)).to match_array([@course.default_section.id, @other_section.id])
+
+        user_session(@other_student)
+        get 'roster_user', :course_id => @course.id, :id => @teacher.id
+        expect(response).to be_success
+        expect(assigns[:enrollments].map(&:course_section_id)).to match_array([@other_section.id])
+      end
+    end
   end
 
   describe "POST 'object_snippet'" do