diff --git a/app/controllers/context_modules_controller.rb b/app/controllers/context_modules_controller.rb
index c4cdd554eab..500d789f399 100644
--- a/app/controllers/context_modules_controller.rb
+++ b/app/controllers/context_modules_controller.rb
@@ -268,10 +268,12 @@ class ContextModulesController < ApplicationController
   end
   
   def show
-    @module = @context.modules_visible_to(@current_user).find(params[:id])
-    respond_to do |format|
-      format.html { redirect_to named_context_url(@context, :context_context_modules_url, :anchor => "module_#{params[:id]}") }
-      format.json { render :json => @module.content_tags_visible_to(@current_user) }
+    @module = @context.context_modules.not_deleted.find(params[:id])
+    if authorized_action @module, @current_user, :read
+      respond_to do |format|
+        format.html { redirect_to named_context_url(@context, :context_context_modules_url, :anchor => "module_#{params[:id]}") }
+        format.json { render :json => @module.content_tags_visible_to(@current_user) }
+      end
     end
   end
   
diff --git a/app/models/context_module.rb b/app/models/context_module.rb
index 08bfd284087..7f9600b62b5 100644
--- a/app/models/context_module.rb
+++ b/app/models/context_module.rb
@@ -213,7 +213,7 @@ class ContextModule < ActiveRecord::Base
     given {|user, session| self.context.grants_right?(user, session, :read_as_admin) }
     can :read_as_admin
 
-    given {|user, session| self.context.grants_right?(user, session, :read) }
+    given {|user, session| self.context.grants_right?(user, session, :read) && self.active? }
     can :read
   end
 
diff --git a/spec/controllers/context_modules_controller_spec.rb b/spec/controllers/context_modules_controller_spec.rb
index 682d534eef1..fec6ad34205 100644
--- a/spec/controllers/context_modules_controller_spec.rb
+++ b/spec/controllers/context_modules_controller_spec.rb
@@ -546,4 +546,27 @@ describe ContextModulesController do
       end
     end
   end
+
+  describe "GET 'show'" do
+    before :once do
+      course_with_teacher(active_all: true)
+    end
+
+    it "should redirect to the module on the index page" do
+      @m2 = @course.context_modules.create!(:name => "published hey")
+      user_session(@teacher)
+      get 'show', course_id: @course.id, id: @m2.id
+      expect(response).to redirect_to course_context_modules_url(course_id: @course.id, anchor: "module_#{@m2.id}")
+    end
+
+    it "should unauthorized for students and unpublished modules" do
+      @m1 = @course.context_modules.create(:name => "unpublished oi")
+      @m1.workflow_state = 'unpublished'
+      @m1.save!
+      student_in_course active_all: true
+      user_session(@student)
+      get 'show', course_id: @course.id, id: @m1.id
+      assert_unauthorized
+    end
+  end
 end