diff --git a/app/controllers/sections_controller.rb b/app/controllers/sections_controller.rb
index 308daab697a..45c2eaa76d4 100644
--- a/app/controllers/sections_controller.rb
+++ b/app/controllers/sections_controller.rb
@@ -53,14 +53,17 @@ class SectionsController < ApplicationController
   # @API List course sections
   # Returns the list of sections for this course.
   #
-  # @argument include[] [optional, "students"] Associations to include with the group.
+  # @argument include[] [optional, "students"] Associations to include with the group. Note: this is only available if you have permission to view users or grades in the course
   # @argument include[] [optional, "avatar_url"] Include the avatar URLs for students returned.
   #
   # @returns [Section]
   def index
-    if authorized_action(@context, @current_user, [:read_roster, :view_all_grades, :manage_grades])
-      includes = Array(params[:include])
+    if authorized_action(@context, @current_user, [:read, :read_roster, :view_all_grades, :manage_grades])
+      if params[:include].present? && !is_authorized_action?(@context, @current_user, [:read_roster, :view_all_grades, :manage_grades])
+        params[:include] = nil
+      end
 
+      includes = Array(params[:include])
       result = @context.active_course_sections.map { |section| section_json(section, @current_user, session, includes) }
 
       render :json => result
diff --git a/spec/apis/v1/sections_api_spec.rb b/spec/apis/v1/sections_api_spec.rb
index 8c5c223adb0..d5146fa6f7d 100644
--- a/spec/apis/v1/sections_api_spec.rb
+++ b/spec/apis/v1/sections_api_spec.rb
@@ -59,6 +59,33 @@ describe SectionsController, :type => :integration do
                       { :controller => 'sections', :action => 'index', :course_id => @course2.to_param, :format => 'json' }, { :include => ['students'] })
       json.size.should == 1
     end
+
+    it "should return sections but not students if user has :read but not :read_roster, :view_all_grades, or :manage_grades" do
+      RoleOverride.create!(:context => Account.default, :permission => 'read_roster', :enrollment_type => 'TaEnrollment', :enabled => false)
+      RoleOverride.create!(:context => Account.default, :permission => 'view_all_grades', :enrollment_type => 'TaEnrollment', :enabled => false)
+      RoleOverride.create!(:context => Account.default, :permission => 'manage_grades', :enrollment_type => 'TaEnrollment', :enabled => false)
+      enrollment = course_with_ta(:active_all => true)
+      enrollment.update_attribute(:limit_privileges_to_course_section, true)
+
+      @course.grants_right?(@ta, :read).should be_true
+      @course.grants_right?(@ta, :read_roster).should be_false
+      @course.grants_right?(@ta, :view_all_grades).should be_false
+      @course.grants_right?(@ta, :manage_grades).should be_false
+
+      route_params = {
+        :controller => 'sections',
+        :action => 'index',
+        :course_id => @course.to_param,
+        :format => 'json'
+      }
+      json = api_call(:get,
+                      "/api/v1/courses/#{@course.id}/sections.json",
+                      route_params,
+                      { :include => ['students'] })
+
+      json.first["name"].should == @course.default_section.name
+      json.first.keys.include?("students").should be_false
+    end
   end
 
   describe "#show" do