diff --git a/js/admin/dist/app.js b/js/admin/dist/app.js
index a044422a4..fd7ff4768 100644
--- a/js/admin/dist/app.js
+++ b/js/admin/dist/app.js
@@ -20294,6 +20294,13 @@ System.register('flarum/components/PermissionGrid', ['flarum/Component', 'flarum
               allowGuest: true
             }, 100);
 
+            items.add('viewUserList', {
+              icon: 'users',
+              label: app.translator.trans('core.admin.permissions.view_user_list_label'),
+              permission: 'viewUserList',
+              allowGuest: true
+            }, 100);
+
             items.add('signUp', {
               icon: 'user-plus',
               label: app.translator.trans('core.admin.permissions.sign_up_label'),
diff --git a/js/admin/src/components/PermissionGrid.js b/js/admin/src/components/PermissionGrid.js
index 7d452e799..416839c45 100644
--- a/js/admin/src/components/PermissionGrid.js
+++ b/js/admin/src/components/PermissionGrid.js
@@ -91,6 +91,13 @@ export default class PermissionGrid extends Component {
       allowGuest: true
     }, 100);
 
+    items.add('viewUserList', {
+      icon: 'users',
+      label: app.translator.trans('core.admin.permissions.view_user_list_label'),
+      permission: 'viewUserList',
+      allowGuest: true
+    }, 100);
+
     items.add('signUp', {
       icon: 'user-plus',
       label: app.translator.trans('core.admin.permissions.sign_up_label'),
diff --git a/src/Api/Controller/ListUsersController.php b/src/Api/Controller/ListUsersController.php
index 727d13343..733f25e79 100644
--- a/src/Api/Controller/ListUsersController.php
+++ b/src/Api/Controller/ListUsersController.php
@@ -12,6 +12,7 @@
 namespace Flarum\Api\Controller;
 
 use Flarum\Api\UrlGenerator;
+use Flarum\Core\Exception\PermissionDeniedException;
 use Flarum\Core\Search\SearchCriteria;
 use Flarum\Core\Search\User\UserSearcher;
 use Psr\Http\Message\ServerRequestInterface;
@@ -66,6 +67,11 @@ class ListUsersController extends AbstractCollectionController
     protected function data(ServerRequestInterface $request, Document $document)
     {
         $actor = $request->getAttribute('actor');
+
+        if ($actor->cannot('viewUserList')) {
+            throw new PermissionDeniedException;
+        }
+
         $query = array_get($this->extractFilter($request), 'q');
         $sort = $this->extractSort($request);
 
diff --git a/src/Api/Serializer/ForumSerializer.php b/src/Api/Serializer/ForumSerializer.php
index ba87f6375..852ec08a6 100644
--- a/src/Api/Serializer/ForumSerializer.php
+++ b/src/Api/Serializer/ForumSerializer.php
@@ -80,7 +80,8 @@ class ForumSerializer extends AbstractSerializer
             'allowSignUp' => (bool) $this->settings->get('allow_sign_up'),
             'defaultRoute'  => $this->settings->get('default_route'),
             'canViewDiscussions' => $this->actor->can('viewDiscussions'),
-            'canStartDiscussion' => $this->actor->can('startDiscussion')
+            'canStartDiscussion' => $this->actor->can('startDiscussion'),
+            'canViewUserList' => $this->actor->can('viewUserList')
         ];
 
         if ($this->actor->can('administrate')) {
diff --git a/src/Install/Console/InstallCommand.php b/src/Install/Console/InstallCommand.php
index 7d456a24e..69ac97a05 100644
--- a/src/Install/Console/InstallCommand.php
+++ b/src/Install/Console/InstallCommand.php
@@ -291,9 +291,10 @@ class InstallCommand extends AbstractCommand
             // Guests can view the forum
             [Group::GUEST_ID, 'viewDiscussions'],
 
-            // Members can create and reply to discussions
+            // Members can create and reply to discussions, and view the user list
             [Group::MEMBER_ID, 'startDiscussion'],
             [Group::MEMBER_ID, 'discussion.reply'],
+            [Group::MEMBER_ID, 'viewUserList'],
 
             // Moderators can edit + delete stuff
             [static::MOD_GROUP_ID, 'discussion.delete'],