diff --git a/app/controllers/registrations_controller.rb b/app/controllers/registrations_controller.rb
index 20ec6c6..8d3153d 100644
--- a/app/controllers/registrations_controller.rb
+++ b/app/controllers/registrations_controller.rb
@@ -35,34 +35,34 @@
   # POST /resource
   def create
     #logger.debug "#{sign_up_params}"
-  	if sign_up_params[:accept_terms] != "1" then
-  	  redirect_to after_sign_up_error_path_for(resource), alert: _('You must accept the terms and conditions to register.')
-  	else
-  		existing_user = User.find_by_email(sign_up_params[:email])
-  		if !existing_user.nil? then
-  			if (existing_user.password == "" || existing_user.password.nil?) && existing_user.confirmed_at.nil? then
-  				@user = existing_user
-  				do_update(false, true)
-  			else
+    if sign_up_params[:accept_terms] != "1" then
+      redirect_to after_sign_up_error_path_for(resource), alert: _('You must accept the terms and conditions to register.')
+    else
+      existing_user = User.find_by_email(sign_up_params[:email])
+      if !existing_user.nil? then
+        if (existing_user.password == "" || existing_user.password.nil?) && existing_user.confirmed_at.nil? then
+          @user = existing_user
+          do_update(false, true)
+        else
           redirect_to after_sign_up_error_path_for(resource), alert: _('That email address is already registered.')
-  			end
-  		else
+        end
+      else
         build_resource(sign_up_params)
-  			if resource.save
-  			  if resource.active_for_authentication?
-    				set_flash_message :notice, :signed_up if is_navigational_format?
-    				sign_up(resource_name, resource)
-    				respond_with resource, location: after_sign_up_path_for(resource)
-  			  else
-    				set_flash_message :notice, :"signed_up_but_#{resource.inactive_message}" if is_navigational_format?
-    				#expire_session_data_after_sign_in!  <-- DEPRECATED BY DEVISE
-    				respond_with resource, location: after_inactive_sign_up_path_for(resource)
-  			  end
-  			else
-  			  clean_up_passwords resource
-  			  redirect_to after_sign_up_error_path_for(resource), alert: _('Error processing registration. Please check that you have entered a valid email address and that your chosen password is at least 8 characters long.')
-  			end
-		  end
+        if resource.save
+          if resource.active_for_authentication?
+            set_flash_message :notice, :signed_up if is_navigational_format?
+            sign_up(resource_name, resource)
+            respond_with resource, location: after_sign_up_path_for(resource)
+          else
+            set_flash_message :notice, :"signed_up_but_#{resource.inactive_message}" if is_navigational_format?
+            #expire_session_data_after_sign_in!  <-- DEPRECATED BY DEVISE
+            respond_with resource, location: after_inactive_sign_up_path_for(resource)
+          end
+        else
+          clean_up_passwords resource
+          redirect_to after_sign_up_error_path_for(resource), alert: _('Error processing registration. Please check that you have entered a valid email address and that your chosen password is at least 8 characters long.')
+        end
+      end
     end
   end
 
@@ -73,7 +73,7 @@
       @other_organisations = Org.where(parent_id: nil, is_other: true).pluck(:id)
       @identifier_schemes = IdentifierScheme.where(active: true).order(:name)
       @languages = Language.sorted_by_abbreviation
-      do_update
+      do_update(require_password=needs_password?(current_user, params))
     else
       render(:file => File.join(Rails.root, 'public/403.html'), :status => 403, :layout => false)
     end
@@ -89,18 +89,30 @@
   end
 
   def do_update(require_password = true, confirm = false)
-	  if require_password then
-		  successfully_updated = if needs_password?(current_user, params)
-      current_user.update_with_password(update_params)
-      else
-        # remove the virtual current_password attribute update_without_password
-        # doesn't know how to ignore it
-        params[:user].delete(:current_password)
-        current_user.update_without_password(update_params)
+    if require_password                        # user is changing email or password
+      if current_user.email != params[:user][:email]   # if user changing email
+        if params[:user][:current_password].blank?    # password needs to be present
+          message = _('Please enter your password to change email address.')
+          succesfully_updated = false
+        else
+          succesfully_updated = current_user.update_with_password(password_update)
+        end
+      elsif params[:user][:password].present? # user is changing password
+        succesfully_updated = false      # shared across first 3 conditions
+        if params[:user][:current_password].blank?
+          message = _('Please enter your current password')
+        elsif params[:user][:password_confirmation].blank?
+          message = _('Please enter a password confirmation')
+        elsif params[:user][:password] != params[:user][:password_confirmation]
+          message = _('Password and comfirmation must match')
+        else
+          succesfully_updated = current_user.update_with_password(password_update)
+        end
+      else    # potentially unreachable... but I dont like to leave off the else
+        succesfully_updated = current_user.update_with_password(password_update)
       end
-    else
-    	current_user.update_attributes(password_update)
-    	successfully_updated = current_user.update_without_password(update_params)
+    else        # password not required
+      current_user.update_without_password(update_params)
     end
 
     #unlink shibboleth from user's details
@@ -108,34 +120,38 @@
       current_user.update_attributes(shibboleth_id: "")
     end
 
-    if successfully_updated
-  		if confirm then
-  			current_user.skip_confirmation!
-  			current_user.save!
-  		end
-        session[:locale] = current_user.get_locale unless current_user.get_locale.nil?
-        set_gettext_locale  #Method defined at controllers/application_controller.rb
-        set_flash_message :notice, :updated
-        sign_in current_user, bypass_sign_in: true  # Sign in the user bypassing validation in case his password changed
-        redirect_to({:controller => "registrations", :action => "edit"}, {:notice => _('Details successfully updated.')})
+    #render the correct page
+    if succesfully_updated
+      if confirm
+        current_user.skip_confirmation!
+        current_user.save!
+      end
+      session[:locale] = current_user.get_locale unless current_user.get_locale.nil?
+      set_gettext_locale  #Method defined at controllers/application_controller.rb
+      set_flash_message :notice, :updated
+      sign_in current_user, bypass_sign_in: true  # Sign in the user bypassing validation in case his password changed
+      redirect_to({:controller => "registrations", :action => "edit"}, {:notice => _('Details successfully updated.')})
     else
+      flash[:notice] = message.blank? ? _('Update unsucessful, changes not saved') : messages
       render "edit"
     end
   end
 
   def sign_up_params
-    params.require(:user).permit(:email, :password, :password_confirmation, 
+    params.require(:user).permit(:email, :password, :password_confirmation,
                                  :accept_terms, :org_id, :other_organisation)
   end
 
   def update_params
-    params.require(:user).permit(:email, :password, :firstname, :current_password,
-                                 :org_id, :other_organisation, :language_id, 
-                                 :password_confirmation)
+    params.require(:user).permit(:firstname, :org_id, :other_organisation,
+                                :language_id, :surname)
   end
 
   def password_update
-    params.require(:user).permit(:password, :password_confirmation)
+    params.require(:user).permit(:email, :firstname, :current_password,
+                                :org_id, :language_id, :password,
+                                :password_confirmation, :surname,
+                                :other_organisation)
   end
 
 end