diff --git a/taiga/users/api.py b/taiga/users/api.py
index e23f1d40..735d7c0d 100644
--- a/taiga/users/api.py
+++ b/taiga/users/api.py
@@ -23,6 +23,8 @@ from django.contrib.auth import logout, login, authenticate
 from django.contrib.auth.hashers import make_password
 from django.utils.translation import ugettext_lazy as _
 
+from easy_thumbnails.exceptions import InvalidImageFormatError
+
 
 from rest_framework.response import Response
 from rest_framework.filters import BaseFilterBackend
@@ -176,7 +178,12 @@ class UsersViewSet(ModelCrudViewSet):
 
         request.user.photo = avatar
         request.user.save(update_fields=["photo"])
+        try:
+            user_data = serializers.UserSerializer(request.user).data
+        except InvalidImageFormatError:
+            raise exc.WrongArguments(_("Invalid image format"))
         user_data = serializers.UserSerializer(request.user).data
+
         return Response(user_data, status=status.HTTP_200_OK)
 
     @detail_route(methods=["GET"])
diff --git a/tests/integration/resources_permissions/test_users_resources.py b/tests/integration/resources_permissions/test_users_resources.py
index 5c4c6ccb..6570ac90 100644
--- a/tests/integration/resources_permissions/test_users_resources.py
+++ b/tests/integration/resources_permissions/test_users_resources.py
@@ -12,8 +12,12 @@ from tests.utils import helper_test_http_method, disconnect_signals, reconnect_s
 
 import json
 
+from tempfile import NamedTemporaryFile
+
 pytestmark = pytest.mark.django_db
 
+DUMMY_BMP_DATA = b'BM:\x00\x00\x00\x00\x00\x00\x006\x00\x00\x00(\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x18\x00\x00\x00\x00\x00\x04\x00\x00\x00\x13\x0b\x00\x00\x13\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
+
 
 def setup_module(module):
     disconnect_signals()
@@ -155,10 +159,49 @@ def test_user_action_change_password(client, data):
     ]
 
 
-    patch_data = json.dumps({"current_password": "test-current-password", "password": "test-password"})
-    results = helper_test_http_method(client, 'post', url, patch_data, users)
+    post_data = json.dumps({"current_password": "test-current-password", "password": "test-password"})
+    results = helper_test_http_method(client, 'post', url, post_data, users)
     assert results == [401, 204, 204, 204]
 
+
+def test_user_action_change_avatar(client, data):
+    url = reverse('users-change-avatar')
+
+    users = [
+        None,
+        data.registered_user,
+        data.other_user,
+        data.superuser,
+    ]
+
+    with NamedTemporaryFile() as avatar:
+        avatar.write(DUMMY_BMP_DATA)
+        avatar.seek(0)
+
+        post_data = {
+            'avatar': avatar
+        }
+
+        client.logout()
+        response = client.post(url, post_data)
+        assert response.status_code == 401
+
+        avatar.seek(0)
+        client.login(data.registered_user)
+        response = client.post(url, post_data)
+        assert response.status_code == 200
+
+        avatar.seek(0)
+        client.login(data.other_user)
+        response = client.post(url, post_data)
+        assert response.status_code == 200
+
+        avatar.seek(0)
+        client.login(data.superuser)
+        response = client.post(url, post_data)
+        assert response.status_code == 200
+
+
 def test_user_action_change_password_from_recovery(client, data):
     url = reverse('users-change-password-from-recovery')