diff --git a/app/controllers/people_controller.rb b/app/controllers/people_controller.rb
index ea56ed81b4f6ba571c370c631d6e8174505b9935..9280e2d3eeecce2e682dd323e8a72afa3a945b5c 100644
--- a/app/controllers/people_controller.rb
+++ b/app/controllers/people_controller.rb
@@ -56,6 +56,7 @@ class PeopleController < ApplicationController
     end
 
     # upload and set new profile photo
+    params[:person][:profile] ||= {}
     if params[:person][:profile][:image].present?
       raw_image = params[:person][:profile].delete(:image)
       params[:profile_image_hash] = { :user_file => raw_image, :to => "all" }
diff --git a/spec/controllers/people_controller_spec.rb b/spec/controllers/people_controller_spec.rb
index 16b0968a4da21e9646d2a2cd9dd8875878ceae46..c69c0f9d533bab3b7ff7b28dbb6c6cb92ec4267f 100644
--- a/spec/controllers/people_controller_spec.rb
+++ b/spec/controllers/people_controller_spec.rb
@@ -22,14 +22,17 @@ describe PeopleController do
 
   it 'should go to the current_user show page' do
     get :show, :id => user.person.id
+    response.should be_success
   end
 
-  it "doesn't error out on an invalid id" do
+  it "redirects on an invalid id" do
     get :show, :id => 'delicious'
+    response.should redirect_to people_path
   end
 
-  it "doesn't error out on a nonexistent person" do
+  it "redirects on a nonexistent person" do
     get :show, :id => user.id
+    response.should redirect_to people_path
   end
 
   describe '#update' do
@@ -50,5 +53,11 @@ describe PeopleController do
         user.person.profile.image_url.should == image_url
       end
     end
+    it 'does not allow mass assignment' do
+      new_user = make_user
+      put :update, :id => user.person.id, :person => {
+        :owner_id => new_user.id}
+      user.person.reload.owner_id.should_not == new_user.id
+    end
   end
 end