diff --git a/src/api/users.js b/src/api/users.js
index 7c8a725019..2bd4779409 100644
--- a/src/api/users.js
+++ b/src/api/users.js
@@ -41,6 +41,10 @@ usersAPI.create = async function (caller, data) {
 };
 
 usersAPI.get = async (caller, { uid }) => {
+	const canView = await privileges.global.can('view:users', caller.uid);
+	if (!canView) {
+		throw new Error('[[error:no-privileges]]');
+	}
 	const userData = await user.getUserData(uid);
 	return await user.hidePrivateData(userData, caller.uid);
 };