diff --git a/app/controllers/v0/password_resets_controller.rb b/app/controllers/v0/password_resets_controller.rb
index e260b054..7bdd09dd 100644
--- a/app/controllers/v0/password_resets_controller.rb
+++ b/app/controllers/v0/password_resets_controller.rb
@@ -28,7 +28,6 @@ def create
     # 2/3 - The associated user object is returned, indicating a valid token
     def show
       @user = User.find_by!(password_reset_token: params[:id])
-      @current_user = @user
       authorize @user, :update_password?
       render 'users/show', status: :ok
     end
@@ -36,7 +35,6 @@ def show
     # 3/3 - The password reset is submitted and committed to the database
     def update
       @user = User.find_by!(password_reset_token: params[:id])
-      @current_user = @user
       authorize @user, :update_password?
       if @user.update({ password: params.require(:password), password_reset_token: nil })
         render 'users/show', status: :ok
diff --git a/spec/policies/user_policy_spec.rb b/spec/policies/user_policy_spec.rb
index 1d6d4de0..d542b2ab 100644
--- a/spec/policies/user_policy_spec.rb
+++ b/spec/policies/user_policy_spec.rb
@@ -12,7 +12,7 @@
     it { is_expected.to_not permitz(:update) }
     it { is_expected.to_not permitz(:destroy) }
     it { is_expected.to permitz(:request_password_reset) }
-    it { is_expected.to_not permitz(:update_password) }
+    it { is_expected.to permitz(:update_password) }
   end
 
   context "for a user" do
@@ -22,7 +22,7 @@
     it { is_expected.to permitz(:update) }
     it { is_expected.to permitz(:destroy) }
     it { is_expected.to_not permitz(:request_password_reset) }
-    it { is_expected.to permitz(:update_password) }
+    it { is_expected.to_not permitz(:update_password) }
   end
 
 end
diff --git a/spec/requests/v0/password_resets_spec.rb b/spec/requests/v0/password_resets_spec.rb
index 1cfd239c..13c1b440 100644
--- a/spec/requests/v0/password_resets_spec.rb
+++ b/spec/requests/v0/password_resets_spec.rb
@@ -117,6 +117,7 @@
     it "can reset password with valid token" do
       expect(user.authenticate('newpass')).to be_falsey
       j = api_put "password_resets/#{user.password_reset_token}", { password: 'newpass' }
+      p response
       expect(j["username"]).to eq(user.username)
       expect(response.status).to eq(200)