diff --git a/api/users.go b/api/users.go
index 93ba51d..199cc38 100644
--- a/api/users.go
+++ b/api/users.go
@@ -60,14 +60,12 @@ func (u UserService) List(val *url.Values, claims *types.Claims) (types.Entity,
 
 // Get retrieves a single user.
 func (u UserService) Get(id int64, dummy string, claims *types.Claims) (types.Entity, *types.AppError) {
-	user, err := models.DbGetUserByID(id)
+	user, err := models.GetUser(id, dummy, claims)
 	user.Password = ""
 	if err != nil {
 		return nil, newJSONError(err, http.StatusInternalServerError)
 	}
 
-	user.CanEdit = claims.Role == "A" || id == claims.Sub
-
 	payload := payloads.User{
 		User: user,
 		Meta: &models.UserMeta{
@@ -81,7 +79,7 @@ func (u UserService) Get(id int64, dummy string, claims *types.Claims) (types.En
 func (u UserService) Update(id int64, e *types.Entity, dummy string, claims *types.Claims) *types.AppError {
 	user := (*e).(*payloads.User).User
 
-	originalUser, err := models.DbGetUserByID(id)
+	originalUser, err := models.GetUser(id, dummy, claims)
 	if err != nil {
 		return newJSONError(err, http.StatusInternalServerError)
 	}
@@ -263,7 +261,7 @@ func HandleUserLockout(w http.ResponseWriter, r *http.Request) *types.AppError {
 func HandleUserPasswordChange(w http.ResponseWriter, r *http.Request) *types.AppError {
 	claims := helpers.GetClaims(r)
 
-	if err := models.UpdateUserPassword(claims.Sub, r.FormValue("password")); err != nil {
+	if err := models.UpdateUserPassword(&claims, r.FormValue("password")); err != nil {
 		return newJSONError(err, http.StatusInternalServerError)
 	}
 
diff --git a/handlers/handlers.go b/handlers/handlers.go
index 2c57caa..50b1733 100644
--- a/handlers/handlers.go
+++ b/handlers/handlers.go
@@ -299,7 +299,7 @@ func (fn errorHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 func tokenRefresh(j *jwt.Middleware) errorHandler {
 	t := func(w http.ResponseWriter, r *http.Request) *types.AppError {
 		claims := helpers.GetClaims(r)
-		user, err := models.DbGetUserByID(claims.Sub)
+		user, err := models.GetUser(claims.Sub, "", &claims)
 		if err != nil {
 			return newJSONError(err, http.StatusInternalServerError)
 		}
diff --git a/models/users.go b/models/users.go
index b9f8fc2..9b04f96 100644
--- a/models/users.go
+++ b/models/users.go
@@ -112,8 +112,8 @@ func DbAuthenticate(email string, password string) error {
 	return nil
 }
 
-// DbGetUserByID returns a specific user record by ID.
-func DbGetUserByID(id int64) (*User, error) {
+// GetUser returns a specific user record by ID.
+func GetUser(id int64, dummy string, claims *types.Claims) (*User, error) {
 	var user User
 	q := `SELECT *
 		FROM users
@@ -126,6 +126,9 @@ func DbGetUserByID(id int64) (*User, error) {
 		}
 		return nil, err
 	}
+
+	user.CanEdit = claims.Role == "A" || id == claims.Sub
+
 	return &user, nil
 }
 
@@ -167,8 +170,8 @@ func ListUsers(opt helpers.ListOptions, claims *types.Claims) (*Users, error) {
 	return &users, nil
 }
 
-func UpdateUserPassword(id int64, password string) error {
-	user, err := DbGetUserByID(id)
+func UpdateUserPassword(claims *types.Claims, password string) error {
+	user, err := GetUser(claims.Sub, "", claims)
 	if err != nil {
 		return err
 	}