diff --git a/CHANGELOG b/CHANGELOG
index 4a299827c11..c353c3b770c 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -35,6 +35,7 @@ v 7.0.0
   - Be more selective when killing stray Sidekiqs
   - Check LDAP user filter during sign-in
   - Remove wall feature (no data loss - you can take it from database)
+  - Dont expose user emails via API unless you are admin 
 
 v 6.9.2
   - Revert the commit that broke the LDAP user filter
diff --git a/spec/requests/api/users_spec.rb b/spec/requests/api/users_spec.rb
index c4728431ec5..c3eec56d133 100644
--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -23,6 +23,17 @@ describe API::API, api: true  do
         json_response.first['username'].should == user.username
       end
     end
+
+    context "when admin" do
+      it "should return an array of users" do
+        get api("/users", admin)
+        response.status.should == 200
+        json_response.should be_an Array
+        json_response.first.keys.should include 'email'
+        json_response.first.keys.should include 'extern_uid'
+        json_response.first.keys.should include 'can_create_project'
+      end
+    end
   end
 
   describe "GET /users/:id" do