diff --git a/public/src/client/chats/search.js b/public/src/client/chats/search.js
index db267cfa07..61a4d9800a 100644
--- a/public/src/client/chats/search.js
+++ b/public/src/client/chats/search.js
@@ -28,6 +28,7 @@ define('forum/chats/search', ['components'], function (components) {
 		socket.emit('user.search', {
 			query: username,
 			searchBy: 'username',
+			paginate: false,
 		}, function (err, data) {
 			if (err) {
 				return app.alertError(err.message);
diff --git a/src/controllers/users.js b/src/controllers/users.js
index 1818c53ca7..c485e8ecff 100644
--- a/src/controllers/users.js
+++ b/src/controllers/users.js
@@ -30,10 +30,14 @@ usersController.index = async function (req, res, next) {
 	}
 };
 
-usersController.search = async function (req, res, next) {
-	const allowed = await privileges.global.can('search:users', req.uid);
-	if (!allowed) {
-		return next(new Error('[[error:no-privileges]]'));
+usersController.search = async function (req, res) {
+	const [allowed, isPrivileged] = await Promise.all([
+		privileges.global.can('search:users', req.uid),
+		user.isPrivileged(req.uid),
+	]);
+
+	if (!allowed || ((req.query.searchBy === 'ip' || req.query.searchBy === 'email' || req.query.bannedOnly === 'true' || req.query.flaggedOnly === 'true') && !isPrivileged)) {
+		throw new Error('[[error:no-privileges]]');
 	}
 	const [searchData, isAdminOrGlobalMod] = await Promise.all([
 		user.search({
diff --git a/src/socket.io/user/search.js b/src/socket.io/user/search.js
index d8e6ccbb13..0844800f26 100644
--- a/src/socket.io/user/search.js
+++ b/src/socket.io/user/search.js
@@ -14,7 +14,7 @@ module.exports = function (SocketUser) {
 			user.isPrivileged(socket.uid),
 		]);
 
-		if (!allowed || ((data.searchBy === 'ip' || data.bannedOnly || data.flaggedOnly) && !isPrivileged)) {
+		if (!allowed || ((data.searchBy === 'ip' || data.searchBy === 'email' || data.bannedOnly || data.flaggedOnly) && !isPrivileged)) {
 			throw new Error('[[error:no-privileges]]');
 		}
 		const result = await user.search({