diff --git a/app/controllers/posts_controller.rb b/app/controllers/posts_controller.rb
index 3404883..c4a22d0 100644
--- a/app/controllers/posts_controller.rb
+++ b/app/controllers/posts_controller.rb
@@ -47,7 +47,7 @@ class PostsController < ApplicationController
   def trash
     raise AccessError unless @post.can_destroy? cuser
     @post.trash
-    if Topic.exists? @post.topic
+    if @post.topic.exists?
       redirect_to @post.topic
     else
       redirect_to @post.topic.forum
@@ -57,7 +57,7 @@ class PostsController < ApplicationController
   def destroy
     raise AccessError unless @post.can_destroy? cuser
     @post.destroy
-    if Topic.exists? @post.topic
+    if @post.topic.exists?
       redirect_to @post.topic
     else
       redirect_to @post.topic.forum
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index cb4ae4e..0e7bc5a 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -53,7 +53,7 @@ class UsersController < ApplicationController
   end
 
   def create
-    @user = User.new(User.params(params, cuser))
+    @user = User.new(User.params(params, cuser, "create"))
     # FIXME: move to model
     @user.lastvisit = Date.today
     @user.lastip = request.env['REMOTE_ADDR']
@@ -75,7 +75,7 @@ class UsersController < ApplicationController
     raise AccessError unless @user.can_update? cuser
     # FIXME: use permit
     params[:user].delete(:username) unless @user.can_change_name? cuser
-    if @user.update_attributes(User.params(params, cuser))
+    if @user.update_attributes(User.params(params, cuser, "update"))
       flash[:notice] = t(:users_update)
       redirect_to_back
     else
diff --git a/app/models/user.rb b/app/models/user.rb
index c04157f..06b8dbd 100755
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -115,7 +115,7 @@ class User < ActiveRecord::Base
   validates_length_of :email, :maximum => 50
   validates_format_of :email, :with => /\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\Z/i
   validates_length_of :steamid, :maximum => 30
-  validates_format_of :steamid, :with => /\A([0-9]{1,10}:){2}[0-9]{1,10}\Z/
+  validates_format_of :steamid, :with => /\ASTEAM_[0-5]:[01]:\d+\Z/
   validates_length_of :time_zone, :maximum => 100, :allow_blank => true, :allow_nil => true
   validates_inclusion_of [:public_email], :in => [true, false], :allow_nil => true
   validate :validate_team
@@ -354,10 +354,12 @@ class User < ActiveRecord::Base
     Group.find(Group::CASTERS).users.order(:username)
   end
 
-  def self.params(params, cuser)
-    profile_attrs = cuser.profile.attributes.keys - ["id", "created_at", "updated_at"]
-    allowed = [:raw_password, :firstname, :lastname, :email, :steamid, :country, :birthdate, :timezone, :public_email, :filter, :time_zone, :team_id, profile_attributes: [profile_attrs]]
-    allowed << :username if cuser.admin?
+  def self.params(params, cuser, operation)
+    profile_attrs ||= cuser.profile.attributes.keys - ["id", "created_at", "updated_at"] if cuser
+    allowed = [:raw_password, :firstname, :lastname, :email, :steamid, :country, \
+               :birthdate, :timezone, :public_email, :filter, :time_zone, :team_id, \
+               profile_attributes: [profile_attrs]]
+    allowed << :username if cuser&.admin? || operation == 'create'
     params.require(:user).permit(*allowed)
   end
 end