diff --git a/app/controllers/courses_controller.rb b/app/controllers/courses_controller.rb
index aa0e1596f..8bd91b089 100644
--- a/app/controllers/courses_controller.rb
+++ b/app/controllers/courses_controller.rb
@@ -293,10 +293,15 @@ class CoursesController < ApplicationController
           @all_members = searchTeacherAndAssistant(@course)
           @members =  @all_members
         when '2'
-          @subPage_title = l :label_student_list
-          page = params[:page].nil? ? 0 : (params['page'].to_i - 1)
-          @all_members = student_homework_score(0,page, 10,"desc")
-          @members =  @all_members
+          if @course.open_student == 1 || User.current.member_of_course?(@course)
+            @subPage_title = l :label_student_list
+            page = params[:page].nil? ? 0 : (params['page'].to_i - 1)
+            @all_members = student_homework_score(0,page, 10,"desc")
+            @members =  @all_members
+          else
+            render_403
+            return
+          end
       end
       respond_to do |format|
         if params[:page]