Ensure searching does not reveal information it shouldn't

Create two courses. Enrol one set of students in one course and the others in the second course. Log in as one of the students and go to the messaging page "User menu > Messages". Click on contacts, and then try to search for the course that the user is not enrolled in. The course should not show up. Search for the course that the user is enrolled in. It should show up. Clicking the course will show users in that course. Do a search for a user in a different course. It should still be possible to find any student on the site. Removing permission to view participants Log in as the admin and navigate to a course. Go to "Course administration > Users > Permissions" and remove "Student" from "View participants" and put them as Prohibited. Log in as a student that is enrolled in the course with the changed permissions. Go to the messaging page. Try to search for the course. The student should no longer be able to find the course.