diff --git a/src/server.js b/src/server.js
index 43985e254..7103fb691 100644
--- a/src/server.js
+++ b/src/server.js
@@ -144,7 +144,7 @@ function initializeExpressSync() {
     router.get ('/api/v1/profile',                                       token, routes.profile.get);
     router.post('/api/v1/profile',                                 json, token, routes.profile.authorize, routes.profile.update);
     router.get ('/api/v1/profile/avatar/:identifier',                           routes.profile.getAvatar); // this is not scoped so it can used directly in img tag
-    router.post('/api/v1/profile/avatar',                          json, token, routes.profile.authorize, multipart, routes.profile.setAvatar);
+    router.post('/api/v1/profile/avatar',                          json, token, multipart, routes.profile.setAvatar); // avatar is not exposed in LDAP. so it's personal and not locked
     router.del ('/api/v1/profile/avatar',                                token, routes.profile.clearAvatar);
     router.post('/api/v1/profile/password',                        json, token, routes.users.verifyPassword, routes.profile.changePassword);
     router.post('/api/v1/profile/twofactorauthentication',         json, token, routes.profile.setTwoFactorAuthenticationSecret);