diff --git a/spec/controllers/auth/registrations_controller_spec.rb b/spec/controllers/auth/registrations_controller_spec.rb
index 0b7f02f590..75ab287652 100644
--- a/spec/controllers/auth/registrations_controller_spec.rb
+++ b/spec/controllers/auth/registrations_controller_spec.rb
@@ -44,27 +44,93 @@ RSpec.describe Auth::RegistrationsController do
     end
   end
 
-  describe 'GET #update' do
-    let(:user) { Fabricate(:user) }
+  describe 'PUT #update' do
+    let(:current_password) { 'current password' }
+    let(:user) { Fabricate(:user, password: current_password) }
 
     before do
       request.env['devise.mapping'] = Devise.mappings[:user]
       sign_in(user, scope: :user)
-      post :update
     end
 
     it 'returns http success' do
+      put :update
       expect(response).to have_http_status(200)
     end
 
     it 'returns private cache control headers' do
+      put :update
       expect(response.headers['Cache-Control']).to include('private, no-store')
     end
 
+    it 'can update the user email' do
+      expect do
+        put :update, params: {
+          user: {
+            email: 'newemail@example.com',
+            current_password: current_password,
+          },
+        }
+        expect(response).to redirect_to(edit_user_registration_path)
+      end.to change { user.reload.unconfirmed_email }.to('newemail@example.com')
+    end
+
+    it 'requires the current password to update the email' do
+      expect do
+        put :update, params: {
+          user: {
+            email: 'newemail@example.com',
+            current_password: 'something',
+          },
+        }
+        expect(response).to have_http_status(200)
+      end.to_not(change { user.reload.unconfirmed_email })
+    end
+
+    it 'can update the user password' do
+      expect do
+        put :update, params: {
+          user: {
+            password: 'new password',
+            password_confirmation: 'new password',
+            current_password: current_password,
+          },
+        }
+        expect(response).to redirect_to(edit_user_registration_path)
+      end.to(change { user.reload.encrypted_password })
+    end
+
+    it 'requires the password confirmation' do
+      expect do
+        put :update, params: {
+          user: {
+            password: 'new password',
+            password_confirmation: 'something else',
+            current_password: current_password,
+          },
+        }
+        expect(response).to have_http_status(200)
+      end.to_not(change { user.reload.encrypted_password })
+    end
+
+    it 'requires the current password to update the password' do
+      expect do
+        put :update, params: {
+          user: {
+            password: 'new password',
+            password_confirmation: 'new password',
+            current_password: 'something',
+          },
+        }
+        expect(response).to have_http_status(200)
+      end.to_not(change { user.reload.encrypted_password })
+    end
+
     context 'when suspended' do
       let(:user) { Fabricate(:user, account_attributes: { username: 'test', suspended_at: Time.now.utc }) }
 
       it 'returns http forbidden' do
+        put :update
         expect(response).to have_http_status(403)
       end
     end