diff --git a/Changelog.md b/Changelog.md
index 51e00adee7251dd6d9beefc79c948f53260dfef8..30001b2ce534e80c829f3ea548768080b70a7b95 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -103,6 +103,7 @@ With the port to Bootstrap 3, app/views/terms/default.haml has a new structure.
 * Expose Unicorn's pid option to our configuration system [#6411](https://github.com/diaspora/diaspora/pull/6411)
 * Add stream of all public posts [#6465](https://github.com/diaspora/diaspora/pull/6465)
 * Reload stream when clicking on already active one [#6466](https://github.com/diaspora/diaspora/pull/6466)
+* Sign in user before evaluating post visibility [#6490](https://github.com/diaspora/diaspora/pull/6490)
 
 # 0.5.3.1
 
diff --git a/app/controllers/posts_controller.rb b/app/controllers/posts_controller.rb
index 644970d6e98e499bcfe88773f5f03b7905a81380..62870cd46c1bae16dcc7f7c82e04d18b0aed10de 100644
--- a/app/controllers/posts_controller.rb
+++ b/app/controllers/posts_controller.rb
@@ -11,9 +11,13 @@ class PostsController < ApplicationController
   respond_to :html, :mobile, :json, :xml
 
   rescue_from Diaspora::NonPublic do
-    @code = "not-public"
-    respond_to do |format|
-      format.all { render template: "errors/not_public", status: 404, layout: "error_page" }
+    if user_signed_in?
+      @code = "not-public"
+      respond_to do |format|
+        format.all { render template: "errors/not_public", status: 404, layout: "error_page" }
+      end
+    else
+      authenticate_user!
     end
   end
 
diff --git a/features/desktop/logged_out_browsing.feature b/features/desktop/logged_out_browsing.feature
index dbcd5caf387fa4a7fc3fbbe3413ec3fbfb7b2eae..4cc2baa3968ffa7e24cdafc0ea79a1fce1f154cb 100644
--- a/features/desktop/logged_out_browsing.feature
+++ b/features/desktop/logged_out_browsing.feature
@@ -21,5 +21,6 @@ Feature: Browsing Diaspora as a logged out user
     Scenario: Visiting a non-public post
       Given "bob@bob.bob" has a non public post with text "my darkest secrets"
       When I open the show page of the "my darkest secrets" post
-      Then I should see the "post not public" message
-      And I should not see "my darkest secrets"
+      Then I should not see "my darkest secrets"
+      When I sign in as "bob@bob.bob"
+      Then I should see "my darkest secrets" within "#single-post-content"
diff --git a/spec/controllers/posts_controller_spec.rb b/spec/controllers/posts_controller_spec.rb
index c6ed28fbbb6a2411d32ccb8005a8a50100452363..e59b8e3396aa4b70122f55b46c0acb6fcabcf97d 100644
--- a/spec/controllers/posts_controller_spec.rb
+++ b/spec/controllers/posts_controller_spec.rb
@@ -25,36 +25,50 @@ describe PostsController, type: :controller do
     end
 
     context "user signed in" do
-      before do
-        sign_in :user, alice
-        expect(post_service_double).to receive(:post).and_return(@message)
-      end
+      context "given a post that the user is allowed to see" do
+        before do
+          sign_in :user, alice
+          expect(post_service_double).to receive(:post).and_return(@message)
+        end
 
-      it "succeeds" do
-        get :show, id: @message.id
-        expect(response).to be_success
-      end
+        it "succeeds" do
+          get :show, id: @message.id
+          expect(response).to be_success
+        end
 
-      it 'succeeds after removing a mention when closing the mentioned user\'s account' do
-        user = FactoryGirl.create(:user, username: "user")
-        alice.share_with(user.person, alice.aspects.first)
-        msg = alice.build_post :status_message,
-                               text: "Mention @{User ; #{user.diaspora_handle}}", public: true, to: "all"
-        msg.save!
-        expect(msg.mentioned_people.count).to eq(1)
-        user.destroy
-        get :show, id: msg.id
-        expect(response).to be_success
-      end
+        it 'succeeds after removing a mention when closing the mentioned user\'s account' do
+          user = FactoryGirl.create(:user, username: "user")
+          alice.share_with(user.person, alice.aspects.first)
+          msg = alice.build_post :status_message,
+                                 text: "Mention @{User ; #{user.diaspora_handle}}", public: true, to: "all"
+          msg.save!
+          expect(msg.mentioned_people.count).to eq(1)
+          user.destroy
+          get :show, id: msg.id
+          expect(response).to be_success
+        end
+
+        it "renders the application layout on mobile" do
+          get :show, id: @message.id, format: :mobile
+          expect(response).to render_template("layouts/application")
+        end
 
-      it "renders the application layout on mobile" do
-        get :show, id: @message.id, format: :mobile
-        expect(response).to render_template("layouts/application")
+        it "succeeds on mobile with a reshare" do
+          get :show, id: FactoryGirl.create(:reshare, author: alice.person).id, format: :mobile
+          expect(response).to be_success
+        end
       end
 
-      it "succeeds on mobile with a reshare" do
-        get :show, id: FactoryGirl.create(:reshare, author: alice.person).id, format: :mobile
-        expect(response).to be_success
+      context "given a post that the user is not allowed to see" do
+        before do
+          sign_in :user, alice
+          expect(post_service_double).to receive(:post).and_raise(Diaspora::NonPublic)
+        end
+
+        it "returns a 404" do
+          get :show, id: @message.id
+          expect(response.code).to eq("404")
+        end
       end
     end
 
@@ -81,6 +95,18 @@ describe PostsController, type: :controller do
           expect(response.body).to eq(@status.to_diaspora_xml)
         end
       end
+
+      context "given a limited post" do
+        before do
+          expect(post_service_double).to receive(:post).and_raise(Diaspora::NonPublic)
+        end
+
+        it "forces the user to sign" do
+          get :show, id: @message.id
+          expect(response).to be_redirect
+          expect(response).to redirect_to new_user_session_path
+        end
+      end
     end
   end