diff --git a/mod/bigbluebuttonbn/classes/external/get_join_url.php b/mod/bigbluebuttonbn/classes/external/get_join_url.php
index f3064fe36dc..1f79f5ba39b 100644
--- a/mod/bigbluebuttonbn/classes/external/get_join_url.php
+++ b/mod/bigbluebuttonbn/classes/external/get_join_url.php
@@ -55,6 +55,8 @@ class get_join_url extends external_api {
      * @param int $cmid the bigbluebuttonbn course module id
      * @param null|int $groupid
      * @return array (empty array for now)
+     *
+     * @throws restricted_context_exception
      */
     public static function execute(
         int $cmid,
@@ -81,7 +83,11 @@ class get_join_url extends external_api {
         }
         $instance->set_group_id($groupid);
 
+        // Validate that the user has access to this activity and to join the meeting.
         self::validate_context($instance->get_context());
+        if (!$instance->can_join()) {
+            throw new restricted_context_exception();
+        }
 
         try {
             $result['join_url'] = meeting::join_meeting($instance);
diff --git a/mod/bigbluebuttonbn/tests/external/get_join_url_test.php b/mod/bigbluebuttonbn/tests/external/get_join_url_test.php
index e245b37d18c..4d033f8d79f 100644
--- a/mod/bigbluebuttonbn/tests/external/get_join_url_test.php
+++ b/mod/bigbluebuttonbn/tests/external/get_join_url_test.php
@@ -16,7 +16,9 @@
 
 namespace mod_bigbluebuttonbn\external;
 
+use context_course;
 use core_external\external_api;
+use core_external\restricted_context_exception;
 use mod_bigbluebuttonbn\instance;
 use mod_bigbluebuttonbn\test\testcase_helper_trait;
 use moodle_exception;
@@ -86,6 +88,28 @@ class get_join_url_test extends \externallib_advanced_testcase {
         $this->get_join_url($instance->get_cm_id());
     }
 
+    /**
+     * Test execution with a user who doesn't have the capability to join the meeting
+     */
+    public function test_execute_without_capability(): void {
+        global $DB;
+
+        $this->resetAfterTest();
+
+        $course = $this->getDataGenerator()->create_course();
+        $record = $this->getDataGenerator()->create_module('bigbluebuttonbn', ['course' => $course->id]);
+        $instance = instance::get_from_instanceid($record->id);
+
+        $user = $this->getDataGenerator()->create_and_enrol($course);
+        $this->setUser($user);
+
+        $student = $DB->get_field('role', 'id', ['shortname' => 'student'], MUST_EXIST);
+        assign_capability('mod/bigbluebuttonbn:join', CAP_PROHIBIT, $student, context_course::instance($course->id), true);
+
+        $this->expectException(restricted_context_exception::class);
+        $this->get_join_url($instance->get_cm_id());
+    }
+
     /**
      * Test execute API CALL with invalid login
      */