diff --git a/main/exercise/exercise_report.php b/main/exercise/exercise_report.php
index 123f84c1e7..98192273e8 100755
--- a/main/exercise/exercise_report.php
+++ b/main/exercise/exercise_report.php
@@ -18,8 +18,18 @@ $this_section = SECTION_COURSES;
 
 $htmlHeadXtra[] = api_get_jqgrid_js();
 
-// Access control
-api_protect_course_script(true, false, true);
+$filter_user = isset($_REQUEST['filter_by_user']) ? intval($_REQUEST['filter_by_user']) : null;
+$isBossOfStudent = false;
+if (api_is_student_boss() && !empty($filter_user)) {
+    // Check if boss has access to user info.
+    if (UserManager::userIsBossOfStudent(api_get_user_id(), $filter_user)) {
+        $isBossOfStudent = true;
+    } else {
+        api_not_allowed(true);
+    }
+} else {
+    api_protect_course_script(true, false, true);
+}
 
 // including additional libraries
 require_once 'hotpotatoes.lib.php';
@@ -40,13 +50,10 @@ $TBL_TRACK_EXERCISES = Database::get_main_table(TABLE_STATISTIC_TRACK_E_EXERCISE
 $TBL_TRACK_ATTEMPT = Database::get_main_table(TABLE_STATISTIC_TRACK_E_ATTEMPT);
 $TBL_TRACK_ATTEMPT_RECORDING = Database::get_main_table(TABLE_STATISTIC_TRACK_E_ATTEMPT_RECORDING);
 $TBL_LP_ITEM_VIEW = Database::get_course_table(TABLE_LP_ITEM_VIEW);
-
 $allowCoachFeedbackExercises = api_get_setting('allow_coach_feedback_exercises') === 'true';
 
 $course_id = api_get_course_int_id();
 $exercise_id = isset($_REQUEST['exerciseId']) ? intval($_REQUEST['exerciseId']) : null;
-$filter_user = isset($_REQUEST['filter_by_user']) ? intval($_REQUEST['filter_by_user']) : null;
-
 $locked = api_resource_is_locked_by_gradebook($exercise_id, LINK_EXERCISE);
 
 if (empty($exercise_id)) {