diff --git a/test/api/user/batch-update/POST-user_batch-update.test.js b/test/api/user/batch-update/POST-user_batch-update.test.js
new file mode 100644
index 0000000000..b5bcbea9ba
--- /dev/null
+++ b/test/api/user/batch-update/POST-user_batch-update.test.js
@@ -0,0 +1,68 @@
+import {
+  generateUser,
+  requester,
+} from '../../../helpers/api.helper';
+
+import { each } from 'lodash';
+
+describe('POST /user/batch-update', () => {
+  let api, user;
+
+  beforeEach(() => {
+    return generateUser().then((usr) => {
+      user = usr;
+      api = requester(user);
+    });
+  });
+
+  context('allowed operations', () => {
+    it('makes batch operations', () => {
+      let task;
+
+      return api.get('/user/tasks').then((tasks) => {
+        task = tasks[0];
+        return api.post('/user/batch-update', [
+          {op: 'update', body: {'stats.hp': 30}},
+          {op: 'update', body: {'profile.name': 'Samwise'}},
+          {op: 'score', params: { direction: 'up', id: task.id }},
+        ]);
+      }).then((user) => {
+        expect(user.stats.hp).to.eql(30);
+        expect(user.profile.name).to.eql('Samwise');
+        return api.get(`/user/tasks/${task.id}`);
+      }).then((task) => {
+        expect(task.value).to.be.greaterThan(0);
+      });
+    });
+  });
+
+  context('development only operations', () => {
+    let protectedOperations = {
+      'Add Ten Gems': 'addTenGems',
+      'Add Hourglass': 'addHourglass',
+    };
+
+    each(protectedOperations, (operation, description) => {
+
+      it(`it sends back a 500 error for ${description} operation`, () => {
+        return expect(api.post('/user/batch-update', [
+          {op: operation},
+        ])).to.eventually.be.rejected.and.eql({
+            code: 500,
+            text: `${operation} operation not found`,
+          });
+      });
+    });
+  });
+
+  context('unknown operations', () => {
+    it('sends back a 500 error', () => {
+      return expect(api.post('/user/batch-update', [
+        {op: 'aNotRealOperation'},
+      ])).to.eventually.be.rejected.and.eql({
+          code: 500,
+          text: 'aNotRealOperation operation not found',
+        });
+    });
+  });
+});
diff --git a/website/src/controllers/user.js b/website/src/controllers/user.js
index 2fd0f52616..b85c63e2cd 100644
--- a/website/src/controllers/user.js
+++ b/website/src/controllers/user.js
@@ -606,6 +606,7 @@ api.batchUpdate = function(req, res, next) {
           return cb(code+": "+ (data.message ? data.message : data.err ? data.err : JSON.stringify(data)));
         return cb();
       };
+      if(!api[_req.op]) { return cb(_req.op + ' operation not found'); }
       api[_req.op](_req, res, cb);
     });
   })