diff --git a/src/middleware/user.js b/src/middleware/user.js
index a9573e397c..342730c507 100644
--- a/src/middleware/user.js
+++ b/src/middleware/user.js
@@ -203,8 +203,12 @@ module.exports = function (middleware) {
 		if (uid <= 0) {
 			return next();
 		}
-		const userslug = await user.getUserField(uid, 'userslug');
-		if (!userslug) {
+		const [canView, userslug] = await Promise.all([
+			privileges.global.can('view:users', req.uid),
+			user.getUserField(uid, 'userslug'),
+		]);
+
+		if (!userslug || (!canView && req.uid !== uid)) {
 			return next();
 		}
 		const path = req.url.replace(/^\/api/, '')
diff --git a/src/routes/user.js b/src/routes/user.js
index 49f551dc59..040f6cb063 100644
--- a/src/routes/user.js
+++ b/src/routes/user.js
@@ -5,7 +5,11 @@ const helpers = require('./helpers');
 const { setupPageRoute } = helpers;
 
 module.exports = function (app, name, middleware, controllers) {
-	const middlewares = [middleware.exposeUid, middleware.canViewUsers, middleware.buildAccountData];
+	const middlewares = [
+		middleware.exposeUid,
+		middleware.canViewUsers,
+		middleware.buildAccountData,
+	];
 	const accountMiddlewares = [
 		...middlewares,
 		middleware.ensureLoggedIn,