diff --git a/frontend/src/app/assignment/services/assignment.service.ts b/frontend/src/app/assignment/services/assignment.service.ts
index 1982ff48..a704b78f 100644
--- a/frontend/src/app/assignment/services/assignment.service.ts
+++ b/frontend/src/app/assignment/services/assignment.service.ts
@@ -83,6 +83,10 @@ export class AssignmentService {
   }
 
   findAll(ids?: string[], createdBy?: string, archived?: boolean): Observable<ReadAssignmentDto[]> {
+    if (!ids?.length && !createdBy) {
+      // disallow global queries
+      return of([]);
+    }
     return this.http.get<ReadAssignmentDto[]>(`${environment.assignmentsApiUrl}/assignments`, {
       params: {
         ...(ids?.length ? {ids: ids.join(',')} : {}),
diff --git a/services/apps/assignments/src/assignment/assignment.controller.ts b/services/apps/assignments/src/assignment/assignment.controller.ts
index b4876e0d..82171b27 100644
--- a/services/apps/assignments/src/assignment/assignment.controller.ts
+++ b/services/apps/assignments/src/assignment/assignment.controller.ts
@@ -69,6 +69,10 @@ export class AssignmentController {
       const members = await this.memberService.findAll({user: {$in: memberIds}});
       (filter.$or ||= []).push({_id: {$in: members.map(m => m.parent)}});
     }
+    if (!filter.$or?.length) {
+      // disallow global queries
+      return [];
+    }
     return (await this.assignmentService.findAll(filter, {
       sort: ASSIGNMENT_SORT,
       collation: ASSIGNMENT_COLLATION,
diff --git a/services/apps/assignments/src/assignment/assignment.service.ts b/services/apps/assignments/src/assignment/assignment.service.ts
index b810dc7e..36077e79 100644
--- a/services/apps/assignments/src/assignment/assignment.service.ts
+++ b/services/apps/assignments/src/assignment/assignment.service.ts
@@ -31,11 +31,21 @@ export class AssignmentService extends MongooseRepository<Assignment> {
     return undefined;
   }
 
+  /**
+   * Removes all information from the assignment that should be hidden from unauthorized users.
+   * Note that some information will always be hidden (e.g. GitHub token, OpenAI API Key) via Mongoose transforms.
+   * @param assignment the assignment to mask.
+   * **Do not pass `AssignmentDocument` (use `.toObject()` first), as it will lead to unwanted extra fields.**
+   * @returns the masked assignment
+   */
   mask(assignment: Assignment): ReadAssignmentDto {
-    const {token, tasks, classroom, ...rest} = assignment;
+    const {token: _token, tasks: _tasks, classroom: _classroom, ...rest} = assignment;
+    const tasks = assignment.deadline && assignment.deadline.valueOf() > Date.now()
+      ? [] // hide tasks if deadline is in the future
+      : assignment.tasks.map(t => this.maskTask(t));
     return {
       ...rest,
-      tasks: assignment.tasks.map(t => this.maskTask(t)),
+      tasks,
     };
   }