diff --git a/app/models/person.rb b/app/models/person.rb
index f99908eacae2c8885cfdc561f7d4c0f30f905a57..8d604eb20e66110ae2d79bed557cb57d69bbe09d 100644
--- a/app/models/person.rb
+++ b/app/models/person.rb
@@ -45,6 +45,8 @@ class Person
 
   scope :searchable, where('profile.searchable' => true)
 
+  attr_accessible :profile
+
   def self.search(query)
     return Person.searchable.all if query.to_s.empty?
     query_tokens = query.to_s.strip.split(" ")
diff --git a/app/models/user.rb b/app/models/user.rb
index 9784a480f7660f1cb565aef52da53d2126bbb3cc..a2687dac69cd2c6169ee7c35fa5cb1d8d4ab11cf 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -388,21 +388,16 @@ class User
 
   def accept_invitation!(opts = {})
     if self.invited?
-      self.username              = opts[:username]
+
+      self.setup(opts)
+
+      self.invitation_token = nil
       self.password              = opts[:password]
       self.password_confirmation = opts[:password_confirmation]
-      opts[:person][:diaspora_handle] = "#{opts[:username]}@#{APP_CONFIG[:terse_pod_url]}"
-      opts[:person][:url] = APP_CONFIG[:pod_url]
 
-      opts[:serialized_private_key] = User.generate_key
-      self.serialized_private_key =  opts[:serialized_private_key]
-      opts[:person][:serialized_public_key] = opts[:serialized_private_key].public_key
-
-      person_hash = opts.delete(:person)
-      self.person = Person.create(person_hash)
-      self.person.save
+      self.person.save!
       self.invitation_token = nil
-      self.save
+      self.save!
       self
     end
   end
@@ -410,24 +405,28 @@ class User
   ###Helpers############
   def self.build(opts = {})
     u = User.new(opts)
-
-    u.username = opts[:username]
     u.email = opts[:email]
+    u.setup(opts)
+    u
+  end
 
+  def setup(opts)
+    self.username = opts[:username]
+    
     opts[:person] ||= {}
     opts[:person][:profile] ||= Profile.new
-    u.person = Person.new(opts[:person])
-    u.person.diaspora_handle = "#{opts[:username]}@#{APP_CONFIG[:terse_pod_url]}"
-
-    u.person.url = APP_CONFIG[:pod_url]
 
-    new_key = generate_key
-    u.serialized_private_key = new_key
-    u.person.serialized_public_key = new_key.public_key
+    self.person = Person.new(opts[:person])
+    self.person.diaspora_handle = "#{opts[:username]}@#{APP_CONFIG[:terse_pod_url]}"
+    self.person.url = APP_CONFIG[:pod_url]
+    new_key = User.generate_key
+    self.serialized_private_key = new_key
+    self.person.serialized_public_key = new_key.public_key
 
-    u
+    self
   end
 
+
   def seed_aspects
     self.aspects.create(:name => "Family")
     self.aspects.create(:name => "Work")
diff --git a/spec/models/user/invite_spec.rb b/spec/models/user/invite_spec.rb
index b7c68d52d0675fa68a2a3bad3bccd700fe14ebaf..6384978d6f00defcfb1c0e715321397b5397b917 100644
--- a/spec/models/user/invite_spec.rb
+++ b/spec/models/user/invite_spec.rb
@@ -35,6 +35,10 @@ describe User do
       }.should change(User, :count).by(1)
     end
 
+    it 'creates it with an email' do
+      inviter.invite_user(:email => "joe@example.com", :aspect_id => aspect.id).email.should == "joe@example.com"
+    end
+
     it 'sends email to the invited user' do
       ::Devise.mailer.should_receive(:invitation).once
       inviter.invite_user(:email => "ian@example.com", :aspect_id => aspect.id)
@@ -135,6 +139,7 @@ def create_user_with_invitation(invitation_token, attributes={})
   inviter = attributes.delete(:inviter)
   user = User.new({:password => nil, :password_confirmation => nil}.update(attributes))
   #user.skip_confirmation!
+  user.email = attributes[:email]
   user.invitation_token = invitation_token
   user.invitation_sent_at = Time.now.utc
   user.inviters << inviter
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index 6c5a2d0bce9d2f7a6764c01efc716abf1f685eab..3af16945b24ce26bf7103e481e62ca964d96c4cc 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -45,7 +45,7 @@ describe User do
         user = Factory.build(:user)
         user.should be_valid
 
-        user.person.update_attribute(:serialized_public_key, nil)
+        user.person.serialized_public_key = nil
         user.person.should_not be_valid
         user.should_not be_valid
 
@@ -191,6 +191,25 @@ describe User do
         User.build(@invalid_params).save.should be_false
       end
     end
+    describe "with malicious params" do
+      let(:person) {Factory.create :person}
+      before do
+        @invalid_params = {:username => "ohai",
+                  :email => "ohai@example.com",
+                  :password => "password",
+                  :password_confirmation => "password",
+                  :person => 
+                    {:_id => person.id,
+                      :profile => 
+                      {:first_name => "O", 
+                       :last_name => "Hai"}
+                    }
+        }
+      end
+      it "does not assign it to the person" do
+        User.build(@invalid_params).person.id.should_not == person.id
+      end
+    end
   end
 
   describe ".find_for_authentication" do