diff --git a/server/vbv_lernwelt/dashboard/tests/graphql/test_dashboard.py b/server/vbv_lernwelt/dashboard/tests/graphql/test_dashboard.py
index 6812e0b4..09fe9309 100644
--- a/server/vbv_lernwelt/dashboard/tests/graphql/test_dashboard.py
+++ b/server/vbv_lernwelt/dashboard/tests/graphql/test_dashboard.py
@@ -65,10 +65,33 @@ class DashboardTestCase(GraphQLTestCase):
         self.assertEqual(course_2_config["title"], course_2.title)
         self.assertEqual(course_2_config["dashboard_type"], "StatisticsDashboard")
 
+    def test_course_statistics_deny_not_allowed_users(self):
+        # GIVEN
+        disallowed_user = create_user("1337_hacker_schorsch")
+        course, _ = create_course("Test Course")
+        create_course_session(course=course, title="Test Course Session")
+
+        self.client.force_login(disallowed_user)
+
+        query = f"""query($course_id: ID!) {{
+            course_statistics(course_id: $course_id) {{
+                course_id
+            }}
+        }}
+        """
+        variables = {"course_id": str(course.id)}
+
+        # WHEN
+        response = self.query(query, variables=variables)
+
+        # THEN
+        self.assertResponseNoErrors(response)
+
+        course_statistics = response.json()["data"]["course_statistics"]
+        self.assertEqual(course_statistics, None)
+
     def test_course_statistics_id(self):
         # GIVEN
-
-        # TODO: Give this guy the right permissions, once we have them
         supervisor = create_user("supervisor")
         course_1, _ = create_course("Test Course 1")
         course_2, _ = create_course("Test Course 2")