diff --git a/src/routes/profile.js b/src/routes/profile.js
index 34fa6806d..6ca528eb5 100644
--- a/src/routes/profile.js
+++ b/src/routes/profile.js
@@ -16,12 +16,8 @@ exports = module.exports = {
 var assert = require('assert'),
     auditSource = require('../auditsource.js'),
     BoxError = require('../boxerror.js'),
-    fs = require('fs'),
     HttpError = require('connect-lastmile').HttpError,
     HttpSuccess = require('connect-lastmile').HttpSuccess,
-    path = require('path'),
-    paths = require('../paths.js'),
-    safe = require('safetydance'),
     users = require('../users.js'),
     settings = require('../settings.js'),
     _ = require('underscore');
@@ -41,8 +37,6 @@ function authorize(req, res, next) {
 function get(req, res, next) {
     assert.strictEqual(typeof req.user, 'object');
 
-    const emailHash = require('crypto').createHash('md5').update(req.user.email).digest('hex');
-
     next(new HttpSuccess(200, {
         id: req.user.id,
         username: req.user.username,
@@ -52,7 +46,7 @@ function get(req, res, next) {
         twoFactorAuthenticationEnabled: req.user.twoFactorAuthenticationEnabled,
         role: req.user.role,
         source: req.user.source,
-        avatarUrl: fs.existsSync(path.join(paths.PROFILE_ICONS_DIR, req.user.id)) ? `${settings.adminOrigin()}/api/v1/profile/avatar/${req.user.id}` : `https://www.gravatar.com/avatar/${emailHash}.jpg`
+        avatarUrl: users.getAvatarUrlSync(req.user)
     }));
 }
 
@@ -78,21 +72,27 @@ function setAvatar(req, res, next) {
 
     if (!req.files.avatar) return next(new HttpError(400, 'avatar is missing'));
 
-    if (!safe.fs.renameSync(req.files.avatar.path, path.join(paths.PROFILE_ICONS_DIR, req.user.id))) return next(new HttpError(500, safe.error));
+    users.setAvatar(req.user.id, req.files.avatar.path, function (error) {
+        if (error) return next(BoxError.toHttpError(error));
 
-    next(new HttpSuccess(202, {}));
+        next(new HttpSuccess(202, {}));
+    });
 }
 
 function clearAvatar(req, res, next) {
     assert.strictEqual(typeof req.user, 'object');
 
-    safe.fs.unlinkSync(path.join(paths.PROFILE_ICONS_DIR, req.user.id));
+    users.clearAvatar(req.user, function (error) {
+        if (error) return next(BoxError.toHttpError(error));
 
-    next(new HttpSuccess(202, {}));
+        next(new HttpSuccess(202, {}));
+    });
 }
 
 function getAvatar(req, res) {
-    res.sendFile(path.join(paths.PROFILE_ICONS_DIR, req.params.identifier));
+    assert.strictEqual(typeof req.params.identifier, 'string');
+
+    res.sendFile(users.getAvatarFileSync(req.params.identifier));
 }
 
 function changePassword(req, res, next) {
diff --git a/src/users.js b/src/users.js
index 02520a97a..d24a83939 100644
--- a/src/users.js
+++ b/src/users.js
@@ -30,6 +30,10 @@ exports = module.exports = {
     sendPasswordResetByIdentifier: sendPasswordResetByIdentifier,
 
     setupAccount,
+    getAvatarUrlSync,
+    getAvatarFileSync,
+    setAvatar,
+    clearAvatar,
 
     count: count,
 
@@ -57,9 +61,11 @@ let assert = require('assert'),
     debug = require('debug')('box:user'),
     eventlog = require('./eventlog.js'),
     externalLdap = require('./externalldap.js'),
+    fs = require('fs'),
     groups = require('./groups.js'),
     hat = require('./hat.js'),
     mailer = require('./mailer.js'),
+    path = require('path'),
     paths = require('./paths.js'),
     qrcode = require('qrcode'),
     safe = require('safetydance'),
@@ -793,3 +799,38 @@ function delAppPassword(id, callback) {
         callback(null);
     });
 }
+
+function getAvatarFileSync(id) {
+    assert.strictEqual(typeof id, 'string');
+
+    return path.join(paths.PROFILE_ICONS_DIR, id);
+}
+
+function getAvatarUrlSync(user) {
+    assert.strictEqual(typeof user, 'object');
+
+    if (fs.existsSync(path.join(paths.PROFILE_ICONS_DIR, user.id))) return `${settings.adminOrigin()}/api/v1/profile/avatar/${user.id}`;
+
+    const emailHash = require('crypto').createHash('md5').update(user.email).digest('hex');
+    return `https://www.gravatar.com/avatar/${emailHash}.jpg`;
+}
+
+function setAvatar(id, filename, callback) {
+    assert.strictEqual(typeof id, 'string');
+    assert.strictEqual(typeof filename, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    fs.rename(filename, path.join(paths.PROFILE_ICONS_DIR, id), function (error) {
+        if (error) return callback(new BoxError(BoxError.FS_ERROR, error.message));
+
+        callback();
+    });
+}
+
+function clearAvatar(id, callback) {
+    assert.strictEqual(typeof id, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    safe.fs.unlinkSync(path.join(paths.PROFILE_ICONS_DIR, id));
+    callback();
+}