diff --git a/app/api/v1/boxes.rb b/app/api/v1/boxes.rb
index f669d83..96d2f9d 100644
--- a/app/api/v1/boxes.rb
+++ b/app/api/v1/boxes.rb
@@ -12,6 +12,7 @@ module Api
             resource :boxes do
               get do
                 profile = environment.send(kind.pluralize).find(params["#{kind}_id"])
+                return forbidden! unless profile.display_info_to?(current_person)
                 present profile.boxes, :with => Entities::Box
               end
             end
diff --git a/test/api/boxes_test.rb b/test/api/boxes_test.rb
index 5526f9b..6481f03 100644
--- a/test/api/boxes_test.rb
+++ b/test/api/boxes_test.rb
@@ -69,4 +69,13 @@ class BoxesTest < ActiveSupport::TestCase
     json = JSON.parse(last_response.body)
     assert_equal [], json["boxes"].first["blocks"].map {|b| b['id']}
   end
+
+  should 'not list boxes for user without permission' do
+    profile = fast_create(Profile, public_profile: false)
+    box = fast_create(Box, :owner_id => profile.id, :owner_type => Profile.name)
+    block = fast_create(Block, box_id: box.id)
+    get "/api/v1/profiles/#{profile.id}/boxes?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal 403, last_response.status
+  end
 end
--
libgit2 0.21.2