diff --git a/services/real-time/app/coffee/WebsocketController.coffee b/services/real-time/app/coffee/WebsocketController.coffee
index d0ca99cc5c..d091c5e4ed 100644
--- a/services/real-time/app/coffee/WebsocketController.coffee
+++ b/services/real-time/app/coffee/WebsocketController.coffee
@@ -85,7 +85,7 @@ module.exports = WebsocketController =
 
 	joinDoc: (client, doc_id, fromVersion = -1, options, callback = (error, doclines, version, ops, ranges) ->) ->
 		metrics.inc "editor.join-doc"
-		Utils.getClientAttributes client, ["project_id", "user_id"], (error, {project_id, user_id}) ->
+		Utils.getClientAttributes client, ["project_id", "user_id", "is_restricted_user"], (error, {project_id, user_id, is_restricted_user}) ->
 			return callback(error) if error?
 			return callback(new Error("no project_id found on client")) if !project_id?
 			logger.log {user_id, project_id, doc_id, fromVersion, client_id: client.id}, "client joining doc"
@@ -99,6 +99,9 @@ module.exports = WebsocketController =
 					DocumentUpdaterManager.getDocument project_id, doc_id, fromVersion, (error, lines, version, ranges, ops) ->
 						return callback(error) if error?
 
+						if is_restricted_user and ranges?.comments?
+							ranges.comments = []
+
 						# Encode any binary bits of data so it can go via WebSockets
 						# See http://ecmanaut.blogspot.co.uk/2006/07/encoding-decoding-utf8-in-javascript.html
 						encodeForWebsockets = (text) -> unescape(encodeURIComponent(text))
diff --git a/services/real-time/test/unit/coffee/WebsocketControllerTests.coffee b/services/real-time/test/unit/coffee/WebsocketControllerTests.coffee
index 116485384d..f2f1531834 100644
--- a/services/real-time/test/unit/coffee/WebsocketControllerTests.coffee
+++ b/services/real-time/test/unit/coffee/WebsocketControllerTests.coffee
@@ -238,6 +238,7 @@ describe 'WebsocketController', ->
 			@options = {}
 
 			@client.params.project_id = @project_id
+			@client.params.is_restricted_user = false
 			@AuthorizationManager.addAccessToDoc = sinon.stub()
 			@AuthorizationManager.assertClientCanViewProject = sinon.stub().callsArgWith(1, null)
 			@DocumentUpdaterManager.getDocument = sinon.stub().callsArgWith(3, null, @doc_lines, @version, @ranges, @ops)
@@ -338,6 +339,16 @@ describe 'WebsocketController', ->
 			it "should not call the DocumentUpdaterManager", ->
 				@DocumentUpdaterManager.getDocument.called.should.equal false
 
+		describe "with a restricted client", ->
+			beforeEach ->
+				@ranges.comments = [{op: {a: 1}}, {op: {a: 2}}]
+				@client.params.is_restricted_user = true
+				@WebsocketController.joinDoc @client, @doc_id, -1, @options, @callback
+
+			it "should overwrite ranges.comments with an empty list", ->
+				ranges = @callback.args[0][4]
+				expect(ranges.comments).to.deep.equal []
+
 	describe "leaveDoc", ->
 		beforeEach ->
 			@doc_id = "doc-id-123"