diff --git a/app/controllers/spree/admin/search_controller.rb b/app/controllers/spree/admin/search_controller.rb
new file mode 100644
index 0000000000..49abde0ef1
--- /dev/null
+++ b/app/controllers/spree/admin/search_controller.rb
@@ -0,0 +1,27 @@
+module Spree
+  module Admin
+    class SearchController < Spree::Admin::BaseController
+      # http://spreecommerce.com/blog/2010/11/02/json-hijacking-vulnerability/
+      before_filter :check_json_authenticity, :only => :index
+      respond_to :json
+
+      # TODO: Clean this up by moving searching out to user_class_extensions
+      # And then JSON building with something like Active Model Serializers
+      def users
+        if params[:ids]
+          @users = Spree.user_class.where(:id => params[:ids].split(','))
+        else
+          @users = Spree.user_class.ransack({
+            :m => 'or',
+            :email_start => params[:q],
+            :ship_address_firstname_start => params[:q],
+            :ship_address_lastname_start => params[:q],
+            :bill_address_firstname_start => params[:q],
+            :bill_address_lastname_start => params[:q]
+          }).result.limit(10)
+        end
+      end
+    end
+  end
+end
+