diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 8e7956da48f132b7991bdd697ae96f896c0c8568..49ddcfed7b1ee99bf8a29f418c44c3c91283ac5a 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -1,6 +1,7 @@
 class UsersController < ApplicationController
   skip_before_action :authenticate_user!
   before_action :set_user
+  before_filter :authorize_read_user, only: [:show]
 
   def show
     respond_to do |format|
@@ -74,6 +75,9 @@ class UsersController < ApplicationController
   end
 
   private
+  def authorize_read_user
+    render_404 unless @user.public?
+  end
 
   def set_user
     @user = User.find_by_username!(params[:username])
diff --git a/app/models/user.rb b/app/models/user.rb
index 031315debd75f7c0e2e3ae9a75fb4f926e28dfa4..e2b602d598b9c0d8945b35f49a559650921caab5 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -835,6 +835,10 @@ class User < ActiveRecord::Base
     notification_settings.find_or_initialize_by(source: source)
   end
 
+  def public?
+    current_application_settings.restricted_visibility_levels.include?(Gitlab::VisibilityLevel::PUBLIC)
+  end
+
   private
 
   def projects_union