diff --git a/core/migrations/0010_student_photo.py b/core/migrations/0010_student_photo.py
new file mode 100644
index 0000000000000000000000000000000000000000..2ed279ad7e922b03b5af6ee802dde16189e4a56f
--- /dev/null
+++ b/core/migrations/0010_student_photo.py
@@ -0,0 +1,21 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.10.5 on 2017-04-24 13:34
+from __future__ import unicode_literals
+
+import core.models.accounts
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('core', '0009_auto_20170424_0909'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='student',
+            name='photo',
+            field=models.FileField(blank=True, null=True, upload_to=core.models.accounts.get_student_photo_file_path),
+        ),
+    ]
diff --git a/core/models/accounts.py b/core/models/accounts.py
index d371652d3f8ba85f8db3ece51a1bfdec14b6c5eb..607a4550387bca27204c0d323c5e5d2f66df9123 100644
--- a/core/models/accounts.py
+++ b/core/models/accounts.py
@@ -12,6 +12,12 @@ def get_student_resume_file_path(instance, filename):
     return os.path.join("student-resume/", filename)
 
 
+def get_student_photo_file_path(instance, filename):
+    extension = filename.split('.')[-1].lower()
+    filename = "%s.%s" % (uuid.uuid4(), extension)
+    return os.path.join("student-photo/", filename)
+
+
 def get_company_logo_file_path(instance, filename):
     extension = filename.split('.')[-1].lower()
     filename = "%s.%s" % (uuid.uuid4(), extension)
@@ -56,6 +62,7 @@ class Student(models.Model):
     major = models.CharField(max_length=30, blank=True, null=True)
     batch = models.CharField(max_length=4, blank=True, null=True)
     show_transcript = models.BooleanField(default=False)
+    photo = models.FileField(upload_to=get_student_photo_file_path, null=True, blank=True)
 
     @property
     def name(self):
diff --git a/core/tests/test_accounts.py b/core/tests/test_accounts.py
index 5fe32fb0955e129cfb89bbc1d971f1add288e748..e4889f544f125743816dbbf53186f6e55b88d359 100644
--- a/core/tests/test_accounts.py
+++ b/core/tests/test_accounts.py
@@ -2,13 +2,12 @@ import requests_mock
 from rest_framework import status
 from rest_framework.test import APIClient, APITestCase
 from django.contrib.auth.models import User
-from core.models.accounts import Company, Supervisor
+from core.models.accounts import Company, Supervisor, Student
 
 class LoginTests(APITestCase):
 
     @requests_mock.Mocker()
     def test_succesful_student_login_relogin(self, m):
-
         m.post('https://api.cs.ui.ac.id/authentication/ldap/v2/', json={
                 "username": "dummy.mahasiswa",
                 "nama": "Dummy Mahasiswa",
@@ -101,3 +100,49 @@ class RegisterTests(APITestCase):
         url = '/api/register/'
         response = self.client.post(url, {'username': 'lalala'}, format='multipart')
         self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+
+class ProfileUpdateTests(APITestCase):
+
+    @requests_mock.Mocker()
+    def test_student_profile_update(self, m):
+        m.post('https://api.cs.ui.ac.id/authentication/ldap/v2/', json={
+            "username": "dummy.mahasiswa",
+            "nama": "Dummy Mahasiswa",
+            "state": 1,
+            "kode_org": "01.00.12.01:mahasiswa",
+            "kodeidentitas": "1234567890",
+            "nama_role": "mahasiswa"
+        }, status_code=200)
+        m.get('https://api.cs.ui.ac.id/siakngcs/mahasiswa/1234567890/', json={
+            "kota_lahir": "kota_kota",
+            "tgl_lahir": "2017-12-31",
+            "program": [{
+                "nm_org": "Ilmu Informasi",
+                "angkatan": "2017"
+            }]
+        }, status_code=200)
+
+        url = '/api/login/'
+        response = self.client.post(url, {'username': 'dummy.mahasiswa', 'password': 'lalala', 'login-type': 'sso-ui'},
+                                    format='json')
+        student_id = response.data.get('student').get('id')
+
+        url = '/api/profiles/students/' + str(student_id) + "/"
+        response = self.client.patch(url, {'phone_number': '08123123123'}, format='multipart')
+        self.assertEqual(response.status_code, status.HTTP_202_ACCEPTED)
+        self.assertEqual(response.data.get('phone_number'), '08123123123')
+
+        url = '/api/profiles/students/' + str(student_id) + "/"
+        response = self.client.patch(url, {'email': 'saasdasd'}, format='multipart')
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+
+        url = '/api/profiles/students/123123123/'
+        response = self.client.patch(url, {'phone_number': '08123123123'}, format='multipart')
+        self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
+
+        new_user = User.objects.create_user('dummy.student2', 'dummy.student@student.com', 'lalala123')
+        new_student = Student.objects.create(user=new_user, npm="1212121212")
+
+        url = '/api/profiles/students/' + str(new_student.pk) + "/"
+        response = self.client.patch(url, {'phone_number': '08123123123'}, format='multipart')
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)