diff --git a/flashcards/api.py b/flashcards/api.py
index eb40bbb..e4e9ff0 100644
--- a/flashcards/api.py
+++ b/flashcards/api.py
@@ -11,30 +11,23 @@ from flashcards.serializers import *
 class UserDetail(APIView):
     def patch(self, request, format=None):
         """
-            Updates a user's password after they enter a valid old password.
-            TODO: email verification
+            This method checks either the email or the password passed in
+            is valid.  If confirmation key is correct, it validates the
+            user.  It updates the password if the new password
+            is valid.
+            
         """
+        currentuser = request.user           
 
-        if 'old_password' not in request.data:
-            raise ValidationError('Old password is required')
-        if 'new_password' not in request.data:
-            raise ValidationError('New password is required')
-        if not request.data['new_password']:
-            raise ValidationError('Password cannot be blank')
+        if 'confirmation_key' in request.data:
+            if not currentuser.confirm_email( request.data['confirmation_key'] ):
+                raise ValidationError('confirmation_key is invalid')
 
-        currentuser = request.user
-
-        if not currentuser.check_password(request.data['old_password']):
-            raise ValidationError('Invalid old password')
-
-        send_mail("Please verify your Flashy account",
-                  body % currentuser.confirmation_key,
-                  "noreply@flashy.cards",
-                  [currentuser.email])
-
-        currentuser.confirm_email( currentuser.confirmation_key )
-
-        if currentuser.isconfirmed
+        if 'new_password' in request.data:            
+            if not currentuser.check_password(request.data['old_password']):
+                raise ValidationError('Invalid old password')
+            if not request.data['new_password']:
+                raise ValidationError('Password cannot be blank')
             currentuser.set_password(request.data['new_password'])
             currentuser.save()
 
@@ -60,11 +53,6 @@ class UserDetail(APIView):
             If you did not register for Flashy, no action is required.
         '''
 
-        send_mail("Please verify your Flashy account",
-                  body % user.confirmation_key,
-                  "noreply@flashy.cards",
-                  [user.email])
-
         user = authenticate(email=email, password=request.data['password'])
         login(request, user)
         return Response(UserSerializer(user).data)
@@ -98,7 +86,7 @@ class UserLogin(APIView):
         if not user.is_active:
             raise ValidationError('Account is disabled')
         login(request, user)
-        return Response(UserSerializer(User).data)
+        return Response(UserSerializer(user).data)
 
 
 class PasswordReset(APIView):