diff --git a/app/controllers/registrations_controller.rb b/app/controllers/registrations_controller.rb
index b7b3d51..4e377ec 100644
--- a/app/controllers/registrations_controller.rb
+++ b/app/controllers/registrations_controller.rb
@@ -96,7 +96,7 @@
         # remove the virtual current_password attribute update_without_password
         # doesn't know how to ignore it
         params[:user].delete(:current_password)
-        current_user.update_without_password(params[:user])
+        current_user.update_without_password(update_params)
       end
     else
     	current_user.update_attributes(password: params[:user][:password], password_confirmation: params[:user][:password_confirmation])
@@ -128,4 +128,9 @@
                                  :accept_terms, :org_id, :other_organisation)
   end
 
+  def update_params
+    params.require(:user).permit(:email, :password, :firstname, :current_password,
+                                 :org_id, :other_organisation, :language_id)
+  end
+
 end