diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index b15f6e348..7c8471303 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -80,7 +80,7 @@ class UsersController < ApplicationController
   end
 
   def destroy
-    if params[:user][:current_password] && current_user.valid_password?(params[:user][:current_password])
+    if params[:user] && params[:user][:current_password] && current_user.valid_password?(params[:user][:current_password])
       Resque.enqueue(Jobs::DeleteAccount, current_user.id)
       current_user.lock_access!
       sign_out current_user
diff --git a/spec/controllers/users_controller_spec.rb b/spec/controllers/users_controller_spec.rb
index 33b92b42e..568fdcff7 100644
--- a/spec/controllers/users_controller_spec.rb
+++ b/spec/controllers/users_controller_spec.rb
@@ -189,16 +189,16 @@ describe UsersController do
   describe '#destroy' do
     it 'does nothing if the password does not match' do
       Resque.should_not_receive(:enqueue)
-      delete :destroy, :password => "stuff"
+      delete :destroy, :user => { :current_password => "stuff" }
     end
 
     it 'enqueues a delete job' do
       Resque.should_receive(:enqueue).with(Jobs::DeleteAccount, alice.id)
-      delete :destroy, :password => "bluepin7"
+      delete :destroy, :user => { :current_password => "bluepin7" }
     end
 
     it 'locks the user out' do
-      delete :destroy, :password => "bluepin7"
+      delete :destroy, :user => { :current_password => "bluepin7" }
       alice.reload.access_locked?.should be_true
     end
   end