diff --git a/test/api/user/PUT-user.test.js b/test/api/user/PUT-user.test.js
index 8865bfacf9..3a76f065f9 100644
--- a/test/api/user/PUT-user.test.js
+++ b/test/api/user/PUT-user.test.js
@@ -53,4 +53,23 @@ describe.only('PUT /user', () => {
       });
     });
   });
+
+  context('sub-level protected paths', () => {
+    let protectedPaths = {
+      'class stat': {'stats.class': 'wizard'},
+    };
+
+    each(protectedPaths, (data, testName) => {
+      it(`does not allow updating ${testName}`, () => {
+        let errorText = [];
+        each(data, (value, path) => {
+          errorText.push(`path \`${path}\` was not saved, as it's a protected path. See https://github.com/HabitRPG/habitrpg/blob/develop/API.md for PUT /api/v2/user.`);
+        });
+        return expect(api.put('/user', data)).to.eventually.be.rejected.and.eql({
+          code: 401,
+          text: errorText,
+        });
+      });
+    });
+  });
 });
diff --git a/website/src/controllers/user.js b/website/src/controllers/user.js
index b77d10df7f..c4270b0437 100644
--- a/website/src/controllers/user.js
+++ b/website/src/controllers/user.js
@@ -298,10 +298,9 @@ acceptablePUTPaths = _.reduce(require('./../models/user').schema.paths, function
   return m;
 }, {})
 
-//// Uncomment this if we we want to disable GP-restoring (eg, holiday events)
-//_.each('stats.gp'.split(' '), function(removePath){
-//  delete acceptablePUTPaths[removePath];
-//})
+_.each('stats.class'.split(' '), function(removePath){
+ delete acceptablePUTPaths[removePath];
+})
 
 /**
  * Update user