diff --git a/src/api/index.js b/src/api/index.js
index 4be8b235e3..5c46f4a6d3 100644
--- a/src/api/index.js
+++ b/src/api/index.js
@@ -1,5 +1,6 @@
 'use strict';
 
 module.exports = {
+	users: require('./users'),
 	groups: require('./groups'),
 };
diff --git a/src/api/users.js b/src/api/users.js
new file mode 100644
index 0000000000..2062846981
--- /dev/null
+++ b/src/api/users.js
@@ -0,0 +1,65 @@
+'use strict';
+
+const user = require('../user');
+const meta = require('../meta');
+const privileges = require('../privileges');
+const events = require('../events');
+
+const usersAPI = module.exports;
+
+usersAPI.create = async function (caller, data) {
+	const uid = await user.create(data);
+	return await user.getUserData(uid);
+};
+
+usersAPI.update = async function (caller, data) {
+	const targetUid = caller.params ? caller.params.uid : data.uid;
+
+	const oldUserData = await user.getUserFields(targetUid, ['email', 'username']);
+	if (!oldUserData || !oldUserData.username) {
+		throw new Error('[[error:invalid-data]]');
+	}
+
+	const [isAdminOrGlobalMod, canEdit, passwordMatch] = await Promise.all([
+		user.isAdminOrGlobalMod(caller.uid),
+		privileges.users.canEdit(caller.uid, targetUid),
+		data.password ? user.isPasswordCorrect(targetUid, data.password, caller.ip) : false,
+	]);
+
+	// Changing own email/username requires password confirmation
+	if (caller.uid === targetUid && !passwordMatch) {
+		throw new Error('[[error:invalid-password]]');
+	}
+
+	if (!canEdit) {
+		throw new Error('[[error:no-privileges]]');
+	}
+
+	if (!isAdminOrGlobalMod && meta.config['username:disableEdit']) {
+		data.username = oldUserData.username;
+	}
+
+	if (!isAdminOrGlobalMod && meta.config['email:disableEdit']) {
+		data.email = oldUserData.email;
+	}
+
+	data.uid = targetUid;	// The `uid` argument in `updateProfile` refers to calling user, not target user
+	await user.updateProfile(caller.uid, data);
+	const userData = await user.getUserData(data.uid);
+
+	async function log(type, eventData) {
+		eventData.type = type;
+		eventData.uid = caller.uid;
+		eventData.targetUid = targetUid;
+		eventData.ip = caller.ip;
+		await events.log(eventData);
+	}
+
+	if (userData.email !== oldUserData.email) {
+		await log('email-change', { oldEmail: oldUserData.email, newEmail: userData.email });
+	}
+
+	if (userData.username !== oldUserData.username) {
+		await log('username-change', { oldUsername: oldUserData.username, newUsername: userData.username });
+	}
+};
diff --git a/src/controllers/write/users.js b/src/controllers/write/users.js
index 80421069ae..362a8035e4 100644
--- a/src/controllers/write/users.js
+++ b/src/controllers/write/users.js
@@ -1,10 +1,12 @@
 'use strict';
 
+const api = require('../../api');
 const user = require('../../user');
 const groups = require('../../groups');
 const plugins = require('../../plugins');
 const privileges = require('../../privileges');
 const notifications = require('../../notifications');
+const flags = require('../../flags');
 const meta = require('../../meta');
 const events = require('../../events');
 const translator = require('../../translator');
@@ -17,60 +19,13 @@ const sockets = require('../../socket.io');
 const Users = module.exports;
 
 Users.create = async (req, res) => {
-	const uid = await user.create(req.body);
-	helpers.formatApiResponse(200, res, await user.getUserData(uid));
+	const userObj = await api.users.create(req, req.body);
+	helpers.formatApiResponse(200, res, userObj);
 };
 
 Users.update = async (req, res) => {
-	const oldUserData = await user.getUserFields(req.params.uid, ['email', 'username']);
-	if (!oldUserData || !oldUserData.username) {
-		throw new Error('[[error:invalid-data]]');
-	}
-
-	const [isAdminOrGlobalMod, canEdit, passwordMatch] = await Promise.all([
-		user.isAdminOrGlobalMod(req.user.uid),
-		privileges.users.canEdit(req.user.uid, req.params.uid),
-		req.body.password ? user.isPasswordCorrect(req.body.uid, req.body.password, req.ip) : false,
-	]);
-
-	// Changing own email/username requires password confirmation
-	if (req.user.uid === req.body.uid && !passwordMatch) {
-		return helpers.formatApiResponse(403, res, new Error('[[error:invalid-password]]'));
-	}
-
-	if (!canEdit) {
-		return helpers.formatApiResponse(403, res, new Error('[[error:no-privileges]]'));
-	}
-
-	if (!isAdminOrGlobalMod && meta.config['username:disableEdit']) {
-		req.body.username = oldUserData.username;
-	}
-
-	if (!isAdminOrGlobalMod && meta.config['email:disableEdit']) {
-		req.body.email = oldUserData.email;
-	}
-
-	req.body.uid = req.params.uid;	// The `uid` argument in `updateProfile` refers to calling user, not target user
-	await user.updateProfile(req.user.uid, req.body);
-	const userData = await user.getUserData(req.body.uid);
-
-	async function log(type, eventData) {
-		eventData.type = type;
-		eventData.uid = req.user.uid;
-		eventData.targetUid = req.params.uid;
-		eventData.ip = req.ip;
-		await events.log(eventData);
-	}
-
-	if (userData.email !== oldUserData.email) {
-		await log('email-change', { oldEmail: oldUserData.email, newEmail: userData.email });
-	}
-
-	if (userData.username !== oldUserData.username) {
-		await log('username-change', { oldUsername: oldUserData.username, newUsername: userData.username });
-	}
-
-	helpers.formatApiResponse(200, res, userData);
+	const userObj = await api.users.update(req, req.body);
+	helpers.formatApiResponse(200, res, userObj);
 };
 
 Users.delete = async (req, res) => {
@@ -108,6 +63,7 @@ async function processDeletion(uid, req, res) {
 	}
 
 	// TODO: clear user tokens for this uid
+	await flags.resolveFlag('user', uid, req.user.uid);
 	const userData = await user.delete(req.user.uid, uid);
 	await events.log({
 		type: 'user-delete',
@@ -185,6 +141,7 @@ Users.ban = async (req, res) => {
 		reason: req.body.reason,
 	});
 
+	await flags.resolveFlag('user', req.params.uid, req.user.uid);
 	await events.log({
 		type: 'user-ban',
 		uid: req.user.uid,
diff --git a/src/socket.io/admin/user.js b/src/socket.io/admin/user.js
index c63032273f..44a8de4075 100644
--- a/src/socket.io/admin/user.js
+++ b/src/socket.io/admin/user.js
@@ -4,6 +4,7 @@ const async = require('async');
 const winston = require('winston');
 
 const db = require('../../database');
+const api = require('../../api');
 const groups = require('../../groups');
 const user = require('../../user');
 const events = require('../../events');
@@ -59,11 +60,7 @@ User.removeAdmins = async function (socket, uids) {
 
 User.createUser = async function (socket, userData) {
 	sockets.warnDeprecated(socket, 'POST /api/v3/users');
-
-	if (!userData) {
-		throw new Error('[[error:invalid-data]]');
-	}
-	return await user.create(userData);
+	return await api.users.create(socket, userData);
 };
 
 User.resetLockouts = async function (socket, uids) {