diff --git a/spec/requests/drafts_controller_spec.rb b/spec/requests/drafts_controller_spec.rb
index bffc3900b54..d18b15ec85f 100644
--- a/spec/requests/drafts_controller_spec.rb
+++ b/spec/requests/drafts_controller_spec.rb
@@ -24,4 +24,15 @@ describe DraftsController do
     parsed = JSON.parse(response.body)
     expect(parsed["drafts"].length).to eq(0)
   end
+
+  it 'does not let userA see drafts by userB' do
+    userB = Fabricate(:user)
+    Draft.set(userB, 'xxx', 0, '{}')
+
+    userA = sign_in(Fabricate(:user))
+    get "/drafts.json", params: { username: userB.username }
+    expect(response.status).to eq(200)
+    parsed = JSON.parse(response.body)
+    expect(parsed["drafts"].length).to eq(0)
+  end
 end