diff --git a/public/src/forum/account/edit.js b/public/src/forum/account/edit.js
index 01bea0c39d..aed26a9a19 100644
--- a/public/src/forum/account/edit.js
+++ b/public/src/forum/account/edit.js
@@ -125,7 +125,7 @@ define('forum/account/edit', ['forum/account/header', 'uploader'], function(head
 		$('#uploadPictureBtn').on('click', function() {
 
 			$('#change-picture-modal').modal('hide');
-			uploader.open(config.relative_path + '/user/uploadpicture', {uid: ajaxify.variables.get('theirid')}, config.maximumProfileImageSize, function(imageUrlOnServer) {
+			uploader.open(config.relative_path + '/api/user/' + ajaxify.variables.get('userslug') + '/uploadpicture', {}, config.maximumProfileImageSize, function(imageUrlOnServer) {
 				imageUrlOnServer = imageUrlOnServer + '?' + new Date().getTime();
 
 				$('#user-current-picture').attr('src', imageUrlOnServer);
diff --git a/src/controllers/accounts.js b/src/controllers/accounts.js
index bf26fbffbf..312c6fc038 100644
--- a/src/controllers/accounts.js
+++ b/src/controllers/accounts.js
@@ -407,26 +407,24 @@ accountsController.uploadPicture = function (req, res, next) {
 			image.convertImageToPng(req.files.userPhoto.path, extension, next);
 		},
 		function(next) {
-			try {
-				var params = JSON.parse(req.body.params);
-				if(parseInt(updateUid, 10) === parseInt(params.uid, 10)) {
-					return next();
+			user.getUidByUserslug(req.params.userslug, next);
+		},
+		function(uid, next) {
+			if(parseInt(updateUid, 10) === parseInt(uid, 10)) {
+				return next();
+			}
+
+			user.isAdministrator(req.user.uid, function(err, isAdmin) {
+				if (err) {
+					return next(err);
 				}
 
-				user.isAdministrator(req.user.uid, function(err, isAdmin) {
-					if(err) {
-						return next(err);
-					}
-
-					if(!isAdmin) {
-						return userNotAllowed();
-					}
-					updateUid = params.uid;
-					next();
-				});
-			} catch(err) {
-				next(err);
-			}
+				if (!isAdmin) {
+					return userNotAllowed();
+				}
+				updateUid = uid;
+				next();
+			});
 		}
 	], function(err, result) {
 
diff --git a/src/middleware/middleware.js b/src/middleware/middleware.js
index a5bc45b214..20594ac309 100644
--- a/src/middleware/middleware.js
+++ b/src/middleware/middleware.js
@@ -154,13 +154,11 @@ middleware.checkAccountPermissions = function(req, res, next) {
 		return res.redirect('/login?next=' + req.url);
 	}
 
-	// this function requires userslug to be passed in. todo: /user/uploadpicture should pass in userslug I think
 	user.getUidByUserslug(req.params.userslug, function (err, uid) {
 		if (err) {
 			return next(err);
 		}
 
-		// not sure if this check really should belong here. also make sure we're not doing this check again in the actual method
 		if (!uid) {
 			if (res.locals.isAPI) {
 				return res.json(404, 'not-found');
diff --git a/src/routes/api.js b/src/routes/api.js
index 62726d9470..001cb5a01b 100644
--- a/src/routes/api.js
+++ b/src/routes/api.js
@@ -188,9 +188,7 @@ module.exports =  function(app, middleware, controllers) {
 
 		app.post('/post/upload', uploadPost);
 		app.post('/topic/thumb/upload', uploadThumb);
+		app.post('/user/:userslug/uploadpicture', middleware.authenticate, middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions, controllers.accounts.uploadPicture);
 	});
 
-	// this should be in the API namespace
-	// also, perhaps pass in :userslug so we can use checkAccountPermissions middleware - in future will allow admins to upload a picture for a user
-	app.post('/user/uploadpicture', middleware.authenticate, middleware.checkGlobalPrivacySettings, /*middleware.checkAccountPermissions,*/ controllers.accounts.uploadPicture);
 };