diff --git a/core/modules/user/user.module b/core/modules/user/user.module
index 009a716..a952e26 100644
--- a/core/modules/user/user.module
+++ b/core/modules/user/user.module
@@ -751,6 +751,11 @@ function user_access($string, $account = NULL) {
     return TRUE;
   }
 
+  // If the account has no roles it can't have any permissions.
+  if (empty($account->roles)) {
+    return FALSE;
+  }
+
   // To reduce the number of SQL queries, we cache the user's permissions
   // in a static variable.
   // Use the advanced drupal_static() pattern, since this is called very often.
diff --git a/core/modules/user/user.test b/core/modules/user/user.test
index 39d90d1..0abc77b 100644
--- a/core/modules/user/user.test
+++ b/core/modules/user/user.test
@@ -1187,6 +1187,18 @@ class UserPermissionsTestCase extends DrupalWebTestCase {
     $this->assertFalse(user_access('access user profiles', $account), t('User no longer has "access user profiles" permission.'));
     $this->assertTrue(user_access('administer site configuration', $account), t('User still has "administer site configuration" permission.'));
   }
+
+  /**
+   * Tests user permissions without roles.
+   **/
+  function testUserWithoutRoles() {
+    // Create a new user account.
+    $user = $this->drupalCreateUser();
+    // Remove all roles.
+    $user->roles = array();
+
+    $this->assertFalse(user_access(array('access content'), $user), "User without roles don't have permissions.");
+  }
 }
 
 class UserAdminTestCase extends DrupalWebTestCase {