diff --git a/app/controllers/dev_utilities_controller.rb b/app/controllers/dev_utilities_controller.rb
index 549b25b00f4efe1110fa7d5592eb9bd5a50a9b91..6318dfb78acb0ced80aa3f61b322e30fcf9ae9fc 100644
--- a/app/controllers/dev_utilities_controller.rb
+++ b/app/controllers/dev_utilities_controller.rb
@@ -48,7 +48,8 @@ class DevUtilitiesController < ApplicationController
 
       @fixture_name = File.join(File.dirname(__FILE__), "..", "..", "public", "images", "user", "#{username}.jpg")
 
-      photo = Photo.new(:person => current_user.person, :album => album)
+      photo = Photo.new(:album => album)
+      photo.person = current_user.person
       photo.image.store! File.open(@fixture_name)
       photo.save
       photo.reload
diff --git a/app/controllers/photos_controller.rb b/app/controllers/photos_controller.rb
index 1d4faa310864d71aedaf059ba3916de9f4d86664..c0c5851486a992352db29c09fdec1ea25048c7a8 100644
--- a/app/controllers/photos_controller.rb
+++ b/app/controllers/photos_controller.rb
@@ -97,7 +97,9 @@ class PhotosController < ApplicationController
       respond_with @photo
     else
       flash[:error] = I18n.t 'photos.update.error'
-      render :action => :edit
+      @album = @photo.album
+      set_friends_and_status
+      render :edit
     end
   end
 end
diff --git a/app/models/photo.rb b/app/models/photo.rb
index 94985e2bf75ed328c2af14abe82f4e05f6de920e..afc3fa58387e0ca6d0229646e76dfa0ef42b0cfa 100644
--- a/app/models/photo.rb
+++ b/app/models/photo.rb
@@ -32,12 +32,16 @@ class Photo < Post
 
   before_destroy :ensure_user_picture
 
+  attr_protected :person
+
   def self.instantiate(params = {})
-    image_file = params[:user_file]
-    params.delete :user_file
+    image_file = params.delete(:user_file)
+    person = params.delete(:person)
 
     photo = Photo.new(params)
+
     photo.image.store! image_file
+    photo.person = person
     photo.save
     photo
   end
diff --git a/spec/controllers/photos_controller_spec.rb b/spec/controllers/photos_controller_spec.rb
index 0afd2ad9e1147f6958cfa46fa484f052db11e504..86d8d448c5fe0b5c892c4d99a7f8bfa5e8a9bffc 100644
--- a/spec/controllers/photos_controller_spec.rb
+++ b/spec/controllers/photos_controller_spec.rb
@@ -15,7 +15,7 @@ describe PhotosController do
     image = File.open(@fixture_name)
     #@photo = Photo.instantiate(
      #         :person => @user.person, :album => @album, :user_file => image)
-    @photo  = @user.post(:photo, :album_id => @album.id, :user_file => image, :to => @aspect.id)
+    @photo = @user.post(:photo, :album_id => @album.id, :user_file => image, :to => @aspect.id)
     sign_in :user, @user
   end
 
diff --git a/spec/models/photo_spec.rb b/spec/models/photo_spec.rb
index 1cf1340d40714f18d544c7d660f9dac3f2d1f419..edc3aecf6839e1d070e8d54ee7edc6db03860828 100644
--- a/spec/models/photo_spec.rb
+++ b/spec/models/photo_spec.rb
@@ -14,7 +14,21 @@ describe Photo do
     @fixture_name = File.join(File.dirname(__FILE__), '..', 'fixtures', @fixture_filename)
     @fail_fixture_name = File.join(File.dirname(__FILE__), '..', 'fixtures', 'msg.xml')
 
-    @photo = Photo.new(:person => @user.person, :album => @album)
+    @photo = Photo.new(:album => @album)
+    @photo.person = @user.person
+  end
+
+  describe "protected attributes" do
+    it "doesn't allow mass assignment of person" do
+      @photo.save!
+      @photo.update_attributes(:person => Factory(:person))
+      @photo.reload.person.should == @user.person
+    end
+    it "doesn't allow mass assignment of person_id" do
+      @photo.save!
+      @photo.update_attributes(:person_id => Factory(:person).id)
+      @photo.reload.person.should == @user.person
+    end
   end
 
   it 'has a constructor' do
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index a9530093f5e3da8bf546df0f7559552d7979ebcd..17a52afff77cd4029292f5021559868d7caf4fc7 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -16,11 +16,13 @@ describe User do
 
   describe 'overwriting people' do
     it 'does not overwrite old users with factory' do
+      pending "Why do you want to set ids directly? MONGOMAPPERRRRR!!!"
       new_user = Factory.create(:user, :id => user.id)
       new_user.persisted?.should be_true
       new_user.id.should_not == user.id
     end
     it 'does not overwrite old users with create' do
+      pending "Why do you want to set ids directly? MONGOMAPPERRRRR!!!"
           params = {:username => "ohai",
                     :email => "ohai@example.com",
                     :password => "password",