diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb
index ba5c335..53615f7 100755
--- a/app/controllers/admin_controller.rb
+++ b/app/controllers/admin_controller.rb
@@ -46,9 +46,9 @@ class AdminController < ApplicationController
   end
 
   def delete_user
-    user = User.find_by_user_id(params[:admin_id])
-    if user && !(current_user.user_id == user.user_id)
-      # Call destroy here so that all association records w/ user_id are destroyed as well
+    user = User.find_by(id: params[:admin_id])
+    if user && !(current_user.id == user.id)
+      # Call destroy here so that all association records w/ id are destroyed as well
       # Example user.retirement records would be destroyed
       user.destroy
       message = true
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index e0305f4..b99f51c 100755
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -17,8 +17,8 @@ class ApplicationController < ActionController::Base
 
   def current_user
     @current_user ||= (
-      User.find_by_auth_token(cookies[:auth_token].to_s) ||
-      User.find_by_user_id(session[:user_id].to_s)
+      User.find_by(auth_token: cookies[:auth_token].to_s) ||
+      User.find_by(id: session[:user_id].to_s)
     )
   end
 
diff --git a/app/controllers/benefit_forms_controller.rb b/app/controllers/benefit_forms_controller.rb
index 2f59d72..97721c9 100644
--- a/app/controllers/benefit_forms_controller.rb
+++ b/app/controllers/benefit_forms_controller.rb
@@ -11,7 +11,7 @@ class BenefitFormsController < ApplicationController
      file = params[:type].constantize.new(path)
      send_file file, disposition: "attachment"
    rescue
-     redirect_to user_benefit_forms_path(user_id: current_user.user_id)
+     redirect_to user_benefit_forms_path(user_id: current_user.id)
    end
   end
 
@@ -23,7 +23,7 @@ class BenefitFormsController < ApplicationController
     else
       flash[:error] = "Something went wrong"
     end
-    redirect_to user_benefit_forms_path(user_id: current_user.user_id)
+    redirect_to user_benefit_forms_path(user_id: current_user.id)
   end
 
 end
diff --git a/app/controllers/messages_controller.rb b/app/controllers/messages_controller.rb
index b74d84b..db97e86 100644
--- a/app/controllers/messages_controller.rb
+++ b/app/controllers/messages_controller.rb
@@ -16,7 +16,7 @@ class MessagesController < ApplicationController
 
     if message.destroy
       flash[:success] = "Your message has been deleted."
-      redirect_to user_messages_path(user_id: current_user.user_id)
+      redirect_to user_messages_path(user_id: current_user.id)
     else
       flash[:error] = "Could not delete message."
     end
@@ -25,7 +25,7 @@ class MessagesController < ApplicationController
   def create
     if Message.create(message_params)
       respond_to do |format|
-        format.html { redirect_to user_messages_path(user_id: current_user.user_id) }
+        format.html { redirect_to user_messages_path(user_id: current_user.id) }
         format.json { render json: {msg: "success"} }
       end
     else
diff --git a/app/controllers/password_resets_controller.rb b/app/controllers/password_resets_controller.rb
index 6e9402c..5dbcd59 100644
--- a/app/controllers/password_resets_controller.rb
+++ b/app/controllers/password_resets_controller.rb
@@ -50,10 +50,10 @@ class PasswordResetsController < ApplicationController
   end
 
   def is_valid?(token)
-    if token =~ /(?<user_id>\d+)-(?<email_hash>[A-Z0-9]{32})/i
+    if token =~ /(?<user>\d+)-(?<email_hash>[A-Z0-9]{32})/i
 
       # Fetch the user by their id, and hash their email address
-      @user = User.find_by_id($~[:user_id])
+      @user = User.find_by(id: $~[:user])
       email = Digest::MD5.hexdigest(@user.email)
 
       # Compare and validate our hashes
diff --git a/app/controllers/pay_controller.rb b/app/controllers/pay_controller.rb
index df1cd04..7db951e 100644
--- a/app/controllers/pay_controller.rb
+++ b/app/controllers/pay_controller.rb
@@ -7,11 +7,12 @@ class PayController < ApplicationController
   def update_dd_info
     msg = false
     pay = Pay.new(
-    bank_account_num: params[:bank_account_num],
-    bank_routing_num: params[:bank_routing_num],
-    percent_of_deposit: params[:dd_percent]
+      bank_account_num: params[:bank_account_num],
+      bank_routing_num: params[:bank_routing_num],
+      percent_of_deposit: params[:dd_percent],
+      user_id: current_user.id
     )
-    pay.user_id = current_user.user_id
+
     msg = true if pay.save!
     respond_to do |format|
       format.json {render json: {msg: msg } }
diff --git a/app/controllers/schedule_controller.rb b/app/controllers/schedule_controller.rb
index 8c14ac5..7e30139 100644
--- a/app/controllers/schedule_controller.rb
+++ b/app/controllers/schedule_controller.rb
@@ -7,7 +7,7 @@ class ScheduleController < ApplicationController
       if params[:schedule][:event_type] == "pto"
         sched = Schedule.new(schedule_params)
         sched.date_begin, sched.date_end = format_schedule_date(params[:date_range1])
-        sched.user_id = current_user.user_id
+        sched.user_id = current_user.id
         a = sched.date_end
         if sched.save
           message = true
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index 30ed486..203f116 100755
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -19,9 +19,9 @@ class SessionsController < ApplicationController
 
     if user
       if params[:remember_me]
-        cookies.permanent[:auth_token] = user.auth_token if User.where(user_id: user.user_id).exists?
+        cookies.permanent[:auth_token] = user.auth_token
       else
-        session[:user_id] = user.user_id if User.where(user_id: user.user_id).exists?
+        session[:user_id] = user.id
       end
       redirect_to path
     else
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 329904e..cc04a07 100755
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -10,7 +10,7 @@ class UsersController < ApplicationController
   def create
     user = User.new(user_params)
     if user.save
-      session[:user_id] = user.user_id
+      session[:user_id] = user.id
       redirect_to home_dashboard_index_path
     else
       @user = user
@@ -26,22 +26,21 @@ class UsersController < ApplicationController
   def update
     message = false
 
-    user = User.where("user_id = '#{params[:user][:user_id]}'")[0]
+    user = User.where("id = '#{params[:user][:id]}'")[0]
 
     if user
-      user.skip_user_id_assign = true
       user.update_attributes(user_params_without_password)
       if params[:user][:password].present? && (params[:user][:password] == params[:user][:password_confirmation])
         user.password = params[:user][:password]
       end
       message = true if user.save!
       respond_to do |format|
-        format.html { redirect_to user_account_settings_path(user_id: current_user.user_id) }
+        format.html { redirect_to user_account_settings_path(user_id: current_user.id) }
         format.json { render json: {msg: message ? "success" : "false "} }
       end
     else
       flash[:error] = "Could not update user!"
-      redirect_to user_account_settings_path(user_id: current_user.user_id)
+      redirect_to user_account_settings_path(user_id: current_user.id)
     end
   end
 
diff --git a/app/controllers/work_info_controller.rb b/app/controllers/work_info_controller.rb
index 31fa91c..1b6c8b9 100644
--- a/app/controllers/work_info_controller.rb
+++ b/app/controllers/work_info_controller.rb
@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 class WorkInfoController < ApplicationController
   def index
-    @user = User.find_by_user_id(params[:user_id])
+    @user = User.find_by(id: params[:user_id])
     if !(@user) || @user.admin
       flash[:error] = "Sorry, no user with that user id exists"
       redirect_to home_dashboard_index_path
diff --git a/app/models/message.rb b/app/models/message.rb
index 2796a51..c3663ee 100644
--- a/app/models/message.rb
+++ b/app/models/message.rb
@@ -4,7 +4,7 @@ class Message < ApplicationRecord
   validates_presence_of :creator_id, :receiver_id, :message
 
   def creator_name
-    if creator = User.where(user_id: self.creator_id).first
+    if creator = User.where(id: self.creator_id).first
       creator.full_name
     else
       "Name unavailable"
diff --git a/app/models/user.rb b/app/models/user.rb
index 3468edd..baa2342 100755
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -11,16 +11,16 @@ class User < ApplicationRecord
   validates_presence_of :email
   validates_uniqueness_of :email
   validates_format_of :email, with: /.+@.+\..+/i
-  attr_accessor :skip_user_id_assign
-  before_save :assign_user_id, on: :create
+
+  has_one :retirement, dependent: :destroy
+  has_one :paid_time_off, dependent: :destroy
+  has_one :work_info, dependent: :destroy
+  has_many :performance, dependent: :destroy
+  has_many :pay, dependent: :destroy
+  has_many :messages, foreign_key: :receiver_id, dependent: :destroy
+
   before_save :hash_password
-  has_one :retirement, foreign_key: :user_id, primary_key: :user_id, dependent: :destroy
-  has_one :paid_time_off, foreign_key: :user_id, primary_key: :user_id, dependent: :destroy
-  has_one :work_info, foreign_key: :user_id, primary_key: :user_id, dependent: :destroy
-  has_many :performance, foreign_key: :user_id, primary_key: :user_id, dependent: :destroy
-  has_many :messages, foreign_key: :receiver_id, primary_key: :user_id, dependent: :destroy
-  has_many :pay, foreign_key: :user_id, primary_key: :user_id, dependent: :destroy
-  before_create { generate_token(:auth_token) }
+  after_create { generate_token(:auth_token) }
   before_create :build_benefits_data
 
   def build_benefits_data
@@ -36,11 +36,6 @@ class User < ApplicationRecord
     "#{self.first_name} #{self.last_name}"
   end
 
-#   # Instead of the entire user object being returned, we can use this to filter.
-#   def as_json
-#     super(only: [:user_id, :email, :first_name, :last_name])
-#   end
-
   private
 
   def self.authenticate(email, password)
@@ -55,26 +50,18 @@ class User < ApplicationRecord
     return auth
   end
 
-  def assign_user_id
-    unless @skip_user_id_assign.present? || self.user_id.present?
-      user = User.order("user_id").last
-      uid = if user && user.user_id && !(User.exists?(user_id: "#{user.user_id.to_i + 1}"))
-              user.user_id.to_i + 1
-            else
-              1
-            end
-      self.user_id = uid.to_s if uid
-    end
-  end
-
   def hash_password
-    if password.present? && password_changed?
-      self.password = Digest::MD5.hexdigest(password)
+    if will_save_change_to_password?
+      self.password = Digest::MD5.hexdigest(self.password)
     end
   end
 
   def generate_token(column)
-    self[column] = Encryption.encrypt_sensitive_value(self.user_id)
-    generate_token(column) if User.exists?(column => self[column])
+    loop do
+      self[column] = Encryption.encrypt_sensitive_value(self.id)
+      break unless User.exists?(column => self[column])
+    end
+
+    self.save!
   end
 end
diff --git a/app/views/admin/get_user.html.erb b/app/views/admin/get_user.html.erb
index 8b2652e..bce0e23 100755
--- a/app/views/admin/get_user.html.erb
+++ b/app/views/admin/get_user.html.erb
@@ -62,7 +62,7 @@ $('#submit_button').click(function() {
   $("#editAcct").modal('hide');
 
   $.ajax({
-      url: "/admin/" +  <%= @user.user_id %> + "/update_user.json",
+      url: "/admin/" +  <%= @user.id %> + "/update_user.json",
     data: valuesToSubmit,
     type: "POST",
     success: function(response) {
diff --git a/app/views/layouts/shared/_header.html.erb b/app/views/layouts/shared/_header.html.erb
index 4046531..371f8aa 100755
--- a/app/views/layouts/shared/_header.html.erb
+++ b/app/views/layouts/shared/_header.html.erb
@@ -14,7 +14,7 @@
         <span class="caret"></span>
         <ul class="dropdown-menu pull-right">
           <li>
-           <%= link_to "Account settings", user_account_settings_path(:user_id => current_user.user_id) %>
+           <%= link_to "Account settings", user_account_settings_path(user_id: current_user.id) %>
           </li>
           <li>
             <%= link_to "Logout", logout_path %>
diff --git a/app/views/layouts/shared/_sidebar.html.erb b/app/views/layouts/shared/_sidebar.html.erb
index a3d5adb..8b1a673 100755
--- a/app/views/layouts/shared/_sidebar.html.erb
+++ b/app/views/layouts/shared/_sidebar.html.erb
@@ -32,7 +32,7 @@
             </li>
     	<% end %>
         <li id="benefit_forms">
-    <%= link_to user_benefit_forms_path(:user_id => current_user.user_id) do %>
+    <%= link_to user_benefit_forms_path(user_id: current_user.id) do %>
             <div class="icon">
               <span class="fs1" aria-hidden="true" data-icon="&#xe05c;"></span>
             </div>
@@ -40,7 +40,7 @@
           <% end %>
         </li>
         <li id="retirement">
-           <%= link_to user_retirement_index_path(:user_id => current_user.user_id) do %>
+           <%= link_to user_retirement_index_path(user_id: current_user.id) do %>
             <div class="icon">
               <span class="fs1" aria-hidden="true" data-icon="&#xe096;"></span>
             </div>
@@ -48,7 +48,7 @@
           <% end %>
         </li>
         <li id="pto">
-          <%= link_to user_paid_time_off_index_path(:user_id => current_user.user_id) do %>
+          <%= link_to user_paid_time_off_index_path(user_id: current_user.id) do %>
             <div class="icon">
               <span class="fs1" aria-hidden="true" data-icon="&#xe0d2;"></span>
             </div>
@@ -56,7 +56,7 @@
          <% end %>
         </li>
         <li id="employee_info">
-           <%= link_to user_work_info_index_path(:user_id => current_user.user_id) do %>
+           <%= link_to user_work_info_index_path(user_id: current_user.id) do %>
             <div class="icon">
               <span class="fs1" aria-hidden="true" data-icon="&#xe0a9;"></span>
             </div>
@@ -64,7 +64,7 @@
           <% end %>
         </li>
         <li id="performance">
-          <%= link_to user_performance_index_path(:user_id => current_user.user_id) do %>
+          <%= link_to user_performance_index_path(user_id: current_user.id) do %>
             <div class="icon">
               <span class="fs1" aria-hidden="true" data-icon="&#xe14a;"></span>
             </div>
@@ -72,7 +72,7 @@
           <% end %>
         </li>
         <li id="messages">
-          <%= link_to user_messages_path(:user_id => current_user.user_id) do %>
+          <%= link_to user_messages_path(user_id: current_user.id) do %>
             <div class="icon">
               <span class="fs1" aria-hidden="true" data-icon="&#xe040;"></span>
             </div>
@@ -80,7 +80,7 @@
           <% end %>
         </li>
     <li id="pay">
-      <%= link_to user_pay_index_path(:user_id => current_user.user_id) do %>
+      <%= link_to user_pay_index_path(user_id: current_user.id) do %>
             <div class="icon">
               <span class="fs1" aria-hidden="true" data-icon="&#xe038;"></span>
             </div>
@@ -139,4 +139,4 @@
   });
 
   </script>
-<% end %>
\ No newline at end of file
+<% end %>
diff --git a/app/views/messages/index.html.erb b/app/views/messages/index.html.erb
index 1917b7f..49578b9 100644
--- a/app/views/messages/index.html.erb
+++ b/app/views/messages/index.html.erb
@@ -111,7 +111,7 @@ $("#submit_button").click(function(event) {
     var valuesToSubmit = $("#send_message").serialize();
     event.preventDefault();
     $.ajax({
-      url: <%= "/users/#{current_user.user_id}/messages.json".inspect.html_safe %>,
+      url: <%= "/users/#{current_user.id}/messages.json".inspect.html_safe %>,
     data: valuesToSubmit,
     type: "POST",
     success: function(response) {
@@ -135,4 +135,4 @@ $(document).ready(function () {
   makeActive()
 });
 
-</script>
\ No newline at end of file
+</script>
diff --git a/app/views/pay/index.html.erb b/app/views/pay/index.html.erb
index abd090e..0f6b15b 100644
--- a/app/views/pay/index.html.erb
+++ b/app/views/pay/index.html.erb
@@ -186,7 +186,7 @@ function parseDirectDepostInfo(response){
 function populateTable() {
   $('#data_table').dataTable().fnClearTable();
   $.ajax({
-      url: <%= sanitize(user_pay_path(:format => "json", :user_id => current_user.user_id, :id => current_user.user_id).inspect) %>,
+      url: <%= sanitize(user_pay_path(:format => "json", user_id: current_user.id, id: current_user.id).inspect) %>,
     type: "GET",
     success: function(response) {
     parseDirectDepostInfo(response);
@@ -237,7 +237,7 @@ $("#decrypt_btn").click(function(event){
   var valuesToSubmit = $("#decrypt_form").serialize();
   event.preventDefault();
   $.ajax({
-      url: <%= sanitize(decrypted_bank_acct_num_user_pay_index_path(:format => "json", :user_id => current_user.user_id).inspect) %>,
+      url: <%= sanitize(decrypted_bank_acct_num_user_pay_index_path(:format => "json", user_id: current_user.id).inspect) %>,
     data: valuesToSubmit,
     type: "POST",
     success: function(response) {
@@ -298,4 +298,4 @@ $(document).ready(
    populateTable()
  )
 
-</script>
\ No newline at end of file
+</script>
diff --git a/app/views/sessions/new.html.erb b/app/views/sessions/new.html.erb
index cb474b0..c33db06 100755
--- a/app/views/sessions/new.html.erb
+++ b/app/views/sessions/new.html.erb
@@ -30,7 +30,7 @@
           </div>
 
           <div class="content">
-            <%= hidden_field_tag :url, @url%>
+            <%= hidden_field_tag :url, @url %>
             <%= text_field_tag :email, params[:email], {:class => "input input-block-level", :placeholder=>"Email"} %>
             <%= password_field_tag :password, nil, {:class => "input input-block-level", :placeholder=>"Password"}%>
           </div>
diff --git a/app/views/users/account_settings.html.erb b/app/views/users/account_settings.html.erb
index 87a57a3..709a77d 100755
--- a/app/views/users/account_settings.html.erb
+++ b/app/views/users/account_settings.html.erb
@@ -37,7 +37,7 @@
             </div>
             <div class="widget-body">
            <%= form_for @user, :html => {:id => "account_edit"} do |f|%>
-               <%= f.hidden_field :user_id%>
+               <%= f.hidden_field :id %>
           <div class="control-group">
                   <%= f.label :email, nil, {:class => "control-label"}%>
             <%= f.text_field :email, {:class => "span12"}%>
@@ -84,7 +84,7 @@ $("#submit_button").click(function(event) {
     var valuesToSubmit = $("#account_edit").serialize();
     event.preventDefault();
     $.ajax({
-      url: <%= "/users/#{current_user.user_id}.json".inspect.html_safe %>,
+      url: <%= "/users/#{current_user.id}.json".inspect.html_safe %>,
     data: valuesToSubmit,
     type: "POST",
     success: function(response) {
diff --git a/config/routes.rb b/config/routes.rb
index 4cd9f77..7b6c40f 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -12,31 +12,17 @@ Railsgoat::Application.routes.draw do
 
   get "dashboard/doc" => "dashboard#doc"
 
-  resources :sessions do
-  end
+  resources :sessions
 
   resources :users do
     get "account_settings"
 
-    resources :retirement do
-    end
-
-    resources :paid_time_off do
-    end
-
-    resources :work_info do
-    end
-
-    resources :performance do
-
-    end
-
-    resources :benefit_forms do
-
-    end
-
-    resources :messages do
-    end
+    resources :retirement
+    resources :paid_time_off
+    resources :work_info
+    resources :performance
+    resources :benefit_forms
+    resources :messages
 
     resources :pay do
       collection do
@@ -60,7 +46,6 @@ Railsgoat::Application.routes.draw do
     collection do
       get "get_pto_schedule"
     end
-
   end
 
   resources :admin do
@@ -81,12 +66,10 @@ Railsgoat::Application.routes.draw do
 
   namespace :api, defaults: {format: "json"} do
     namespace :v1 do
-        resources :users
-        resources :mobile
+      resources :users
+      resources :mobile
     end
   end
 
-
   root to: "sessions#new"
-
 end
diff --git a/db/migrate/20171007010129_remove_users_user_id.rb b/db/migrate/20171007010129_remove_users_user_id.rb
new file mode 100644
index 0000000..52775ed
--- /dev/null
+++ b/db/migrate/20171007010129_remove_users_user_id.rb
@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+class RemoveUsersUserId < ActiveRecord::Migration[5.1]
+  def change
+    remove_column :users, :user_id, :integer
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index bef5c87..e9d5e1e 100755
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -11,12 +11,12 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20140408185601) do
+ActiveRecord::Schema.define(version: 20171007010129) do
 
   create_table "analytics", force: :cascade do |t|
-    t.string   "ip_address"
-    t.string   "referrer"
-    t.string   "user_agent"
+    t.string "ip_address"
+    t.string "referrer"
+    t.string "user_agent"
     t.datetime "created_at"
     t.datetime "updated_at"
   end
@@ -27,92 +27,91 @@ ActiveRecord::Schema.define(version: 20140408185601) do
   end
 
   create_table "key_managements", force: :cascade do |t|
-    t.string   "iv"
-    t.integer  "user_id"
+    t.string "iv"
+    t.integer "user_id"
     t.datetime "created_at"
     t.datetime "updated_at"
   end
 
   create_table "messages", force: :cascade do |t|
-    t.integer  "creator_id"
-    t.integer  "receiver_id"
-    t.text     "message"
-    t.boolean  "read"
+    t.integer "creator_id"
+    t.integer "receiver_id"
+    t.text "message"
+    t.boolean "read"
     t.datetime "created_at"
     t.datetime "updated_at"
   end
 
   create_table "paid_time_offs", force: :cascade do |t|
-    t.integer  "user_id"
-    t.integer  "sick_days_taken"
-    t.integer  "sick_days_earned"
-    t.integer  "pto_taken"
-    t.integer  "pto_earned"
+    t.integer "user_id"
+    t.integer "sick_days_taken"
+    t.integer "sick_days_earned"
+    t.integer "pto_taken"
+    t.integer "pto_earned"
     t.datetime "created_at"
     t.datetime "updated_at"
   end
 
   create_table "pays", force: :cascade do |t|
-    t.integer  "user_id"
-    t.string   "bank_account_num"
-    t.string   "bank_routing_num"
-    t.integer  "percent_of_deposit"
+    t.integer "user_id"
+    t.string "bank_account_num"
+    t.string "bank_routing_num"
+    t.integer "percent_of_deposit"
     t.datetime "created_at"
     t.datetime "updated_at"
   end
 
   create_table "performances", force: :cascade do |t|
-    t.integer  "user_id"
-    t.date     "date_submitted"
-    t.integer  "score"
-    t.string   "comments"
-    t.integer  "reviewer"
+    t.integer "user_id"
+    t.date "date_submitted"
+    t.integer "score"
+    t.string "comments"
+    t.integer "reviewer"
     t.datetime "created_at"
     t.datetime "updated_at"
   end
 
   create_table "retirements", force: :cascade do |t|
-    t.string   "total"
-    t.string   "employee_contrib"
-    t.string   "employer_contrib"
-    t.integer  "user_id"
+    t.string "total"
+    t.string "employee_contrib"
+    t.string "employer_contrib"
+    t.integer "user_id"
     t.datetime "created_at"
     t.datetime "updated_at"
   end
 
   create_table "schedules", force: :cascade do |t|
-    t.string   "event_type"
-    t.date     "date_begin"
-    t.date     "date_end"
-    t.string   "event_name"
-    t.string   "event_desc"
-    t.integer  "user_id"
+    t.string "event_type"
+    t.date "date_begin"
+    t.date "date_end"
+    t.string "event_name"
+    t.string "event_desc"
+    t.integer "user_id"
     t.datetime "created_at"
     t.datetime "updated_at"
   end
 
   create_table "users", force: :cascade do |t|
-    t.string   "email"
-    t.string   "password"
-    t.boolean  "admin"
-    t.string   "first_name"
-    t.string   "last_name"
-    t.integer  "user_id"
+    t.string "email"
+    t.string "password"
+    t.boolean "admin"
+    t.string "first_name"
+    t.string "last_name"
     t.datetime "created_at"
     t.datetime "updated_at"
-    t.string   "auth_token"
+    t.string "auth_token"
   end
 
   create_table "work_infos", force: :cascade do |t|
-    t.integer  "user_id"
-    t.string   "income"
-    t.string   "bonuses"
-    t.integer  "years_worked"
-    t.string   "SSN"
-    t.date     "DoB"
+    t.integer "user_id"
+    t.string "income"
+    t.string "bonuses"
+    t.integer "years_worked"
+    t.string "SSN"
+    t.date "DoB"
     t.datetime "created_at"
     t.datetime "updated_at"
-    t.binary   "encrypted_ssn"
+    t.binary "encrypted_ssn"
   end
 
 end
diff --git a/db/seeds.rb b/db/seeds.rb
index 3a04f34..338f956 100755
--- a/db/seeds.rb
+++ b/db/seeds.rb
@@ -4,314 +4,308 @@
 #
 
 users = [
-     {
-       email: "admin@metacorp.com",
-       admin: true,
-       password: "admin1234",
-       password_confirmation: "admin1234",
-       first_name: "Admin",
-       last_name: "",
-       user_id: 1
-      },
-     {
-       email: "jmmastey@metacorp.com",
-       admin: false,
-       password: "railsgoat!",
-       password_confirmation: "railsgoat!",
-       first_name: "Joseph",
-       last_name: "Mastey",
-       user_id: 2
-     },
-     {
-       email: "jim@metacorp.com",
-       admin: false,
-       password: "alohaowasp",
-       password_confirmation: "alohaowasp",
-       first_name: "Jim",
-       last_name: "Manico",
-       user_id: 3
-     },
-     {
-       email: "mike@metacorp.com",
-       admin: false,
-       password: "motocross1445",
-       password_confirmation: "motocross1445",
-       first_name: "Mike",
-       last_name: "McCabe",
-       user_id: 4
-      },
-     {
-       email: "ken@metacorp.com",
-       admin: false,
-       password: "citrusblend",
-       password_confirmation: "citrusblend",
-       first_name: "Ken",
-       last_name: "Johnson",
-       user_id: 5
-     },
-     {
-       email: "admin2@metacorp.com",
-       admin: false,
-       password: "adminadmin",
-       password_confirmation: "adminadmin",
-       first_name: "Admin2",
-       last_name: "",
-       user_id: 6
-      }
+  {
+    email: "admin@metacorp.com",
+    admin: true,
+    password: "admin1234",
+    password_confirmation: "admin1234",
+    first_name: "Admin",
+    last_name: "",
+  },
+
+  {
+    email: "jmmastey@metacorp.com",
+    admin: false,
+    password: "railsgoat!",
+    password_confirmation: "railsgoat!",
+    first_name: "Joseph",
+    last_name: "Mastey",
+  },
+
+  {
+    email: "jack@metacorp.com",
+    admin: false,
+    password: "yankeessuck",
+    password_confirmation: "yankeessuck",
+    first_name: "Jack",
+    last_name: "Mannino",
+  },
+
+  {
+    email: "jim@metacorp.com",
+    admin: false,
+    password: "alohaowasp",
+    password_confirmation: "alohaowasp",
+    first_name: "Jim",
+    last_name: "Manico",
+  },
+
+  {
+    email: "mike@metacorp.com",
+    admin: false,
+    password: "motocross1445",
+    password_confirmation: "motocross1445",
+    first_name: "Mike",
+    last_name: "McCabe",
+  },
+
+  {
+    email: "ken@metacorp.com",
+    admin: false,
+    password: "citrusblend",
+    password_confirmation: "citrusblend",
+    first_name: "Ken",
+    last_name: "Johnson",
+  },
+
+  {
+    email: "admin2@metacorp.com",
+    admin: false,
+    password: "adminadmin",
+    password_confirmation: "adminadmin",
+    first_name: "Admin2",
+    last_name: "",
+  }
 ]
 
 retirements = [
-      {
-        user_id: 2,
-        employee_contrib: "1000",
-        employer_contrib: "2000",
-        total: "4500"
-      },
-      {
-        user_id: 3,
-        employee_contrib: "8000",
-        employer_contrib: "16000",
-        total: "30000"
-      },
-      {
-        user_id: 4,
-        employee_contrib: "10000",
-        employer_contrib: "20000",
-        total: "40000"
-      },
-      {
-        user_id: 5,
-        employee_contrib: "3000",
-        employer_contrib: "6000",
-        total: "12500"
-      }
-
+  {
+    user: "jack@metacorp.com",
+    employee_contrib: "1000",
+    employer_contrib: "2000",
+    total: "4500"
+  },
+  {
+    user: "jim@metacorp.com",
+    employee_contrib: "8000",
+    employer_contrib: "16000",
+    total: "30000"
+  },
+  {
+    user: "mike@metacorp.com",
+    employee_contrib: "10000",
+    employer_contrib: "20000",
+    total: "40000"
+  },
+  {
+    user: "ken@metacorp.com",
+    employee_contrib: "3000",
+    employer_contrib: "6000",
+    total: "12500"
+  }
 ]
 
 paid_time_off = [
-      {
-        user_id: 2,
-        sick_days_taken: 2,
-        sick_days_earned: 5,
-        pto_taken: 5,
-        pto_earned: 30
-      },
-      {
-        user_id: 3,
-        sick_days_taken: 3,
-        sick_days_earned: 6,
-        pto_taken: 3,
-        pto_earned: 20
-      },
-      {
-        user_id: 4,
-        sick_days_taken: 2,
-        sick_days_earned: 5,
-        pto_taken: 5,
-        pto_earned: 30
-      },
-      {
-        user_id: 5,
-        sick_days_taken: 1,
-        sick_days_earned: 5,
-        pto_taken: 10,
-        pto_earned: 30
-      }
+  {
+    user: "jack@metacorp.com",
+    sick_days_taken: 2,
+    sick_days_earned: 5,
+    pto_taken: 5,
+    pto_earned: 30
+  },
+  {
+    user: "jim@metacorp.com",
+    sick_days_taken: 3,
+    sick_days_earned: 6,
+    pto_taken: 3,
+    pto_earned: 20
+  },
+  {
+    user: "mike@metacorp.com",
+    sick_days_taken: 2,
+    sick_days_earned: 5,
+    pto_taken: 5,
+    pto_earned: 30
+  },
+  {
+    user: "ken@metacorp.com",
+    sick_days_taken: 1,
+    sick_days_earned: 5,
+    pto_taken: 10,
+    pto_earned: 30
+  }
+]
 
-  ]
+schedule = [
+  {
+    user: "jack@metacorp.com",
+    date_begin: Date.new(2014, 7, 30),
+    date_end: Date.new(2014, 8, 2),
+    event_type: "pto",
+    event_desc: "vacation to france",
+    event_name: "My 2014 Vacation"
+  },
+  {
+    user: "jim@metacorp.com",
+    date_begin: Date.new(2013, 9, 1),
+    date_end: Date.new(2013, 9, 12),
+    event_type: "pto",
+    event_desc: "Going Home to see folks",
+    event_name: "Visit Parents"
+  },
+  {
+    user: "mike@metacorp.com",
+    date_begin: Date.new(2013, 9, 13),
+    date_end: Date.new(2013, 9, 20),
+    event_type: "pto",
+    event_desc: "Taking kids to Grand Canyon",
+    event_name: "AZ Trip"
+  },
+  {
+    user: "ken@metacorp.com",
+    date_begin: Date.new(2013, 12, 20),
+    date_end: Date.new(2013, 12, 30),
+    event_type: "pto",
+    event_desc: "Xmas Staycation",
+    event_name: "Christmas Leave"
+  }
+]
 
-  schedule = [
-        {
-          user_id: 2,
-          date_begin: Date.new(2014, 7, 30),
-          date_end: Date.new(2014, 8, 2),
-          event_type: "pto",
-          event_desc: "vacation to france",
-          event_name: "My 2014 Vacation"
+work_info = [
+  {
+    user: "jack@metacorp.com",
+    income: "$50,000",
+    bonuses: "$10,000",
+    years_worked: 2,
+    SSN: "555-55-5555",
+    DoB: "01-01-1980"
+  },
+  {
+    user: "jim@metacorp.com",
+    income: "$40,000",
+    bonuses: "$10,000",
+    years_worked: 1,
+    SSN: "333-33-3333",
+    DoB: "01-01-1979"
+  },
+  {
+    user: "mike@metacorp.com",
+    income: "$60,000",
+    bonuses: "$12,000",
+    years_worked: 3,
+    SSN: "444-44-4444",
+    DoB: "01-01-1981"
+  },
+  {
+    user: "ken@metacorp.com",
+    income: "$30,000",
+    bonuses: "7,000",
+    years_worked: 1,
+    SSN: "222-22-2222",
+    DoB: "01-01-1982"
+  }
+]
 
-        },
-        {
-          user_id: 3,
-          date_begin: Date.new(2013, 9, 1),
-          date_end: Date.new(2013, 9, 12),
-          event_type: "pto",
-          event_desc: "Going Home to see folks",
-          event_name: "Visit Parents"
-
-        },
-        {
-          user_id: 4,
-          date_begin: Date.new(2013, 9, 13),
-          date_end: Date.new(2013, 9, 20),
-          event_type: "pto",
-          event_desc: "Taking kids to Grand Canyon",
-          event_name: "AZ Trip"
-
-        },
-        {
-          user_id: 5,
-          date_begin: Date.new(2013, 12, 20),
-          date_end: Date.new(2013, 12, 30),
-          event_type: "pto",
-          event_desc: "Xmas Staycation",
-          event_name: "Christmas Leave"
-        }
-
-    ]
-
-  work_info = [
-    {
-      user_id: 2,
-      income: "$50,000",
-      bonuses: "$10,000",
-      years_worked: 2,
-      SSN: "555-55-5555",
-      DoB: "01-01-1980"
-    },
-    {
-      user_id: 3,
-      income: "$40,000",
-      bonuses: "$10,000",
-      years_worked: 1,
-      SSN: "333-33-3333",
-      DoB: "01-01-1979"
-    },
-    {
-      user_id: 4,
-      income: "$60,000",
-      bonuses: "$12,000",
-      years_worked: 3,
-      SSN: "444-44-4444",
-      DoB: "01-01-1981"
-    },
-    {
-      user_id: 5,
-      income: "$30,000",
-      bonuses: "7,000",
-      years_worked: 1,
-      SSN: "222-22-2222",
-      DoB: "01-01-1982"
-    }
-  ]
-
-  performance = [
-    {
-      user_id: 2,
-      reviewer: 1,
-      comments: "Great job! You are my hero",
-      date_submitted: Date.new(2012, 01, 01),
-      score: 5
-    },
-    {
-    user_id: 2,
+performance = [
+  {
+    user: "jack@metacorp.com",
+    reviewer: 1,
+    comments: "Great job! You are my hero",
+    date_submitted: Date.new(2012, 01, 01),
+    score: 5
+  },
+  {
+    user: "jack@metacorp.com",
     reviewer: 1,
     comments: "Once again, you've done a great job this year. We greatly appreciate your hard work.",
     date_submitted: Date.new(2013, 01, 01),
     score: 5
-    },
-    {
-      user_id: 3,
-      reviewer: 1,
-      comments: "Great worker, great attitude for this newcomer!",
-      date_submitted: Date.new(2013, 01, 01),
-      score: 5
-    },
-    {
-      user_id: 4,
-      reviewer: 1,
-      comments: "Wow, right out of the gate we've been very impressed but unfortunately, our system doesn't allow us to give you a full 5.0 because other ppl have gotten 5.0 ratings.",
-      date_submitted: Date.new(2011, 01, 01),
-      score: 4
-    },
-    {
-      user_id: 4,
-      reviewer: 1,
-      comments: "We highly recommend promotion for this employee! Consistent performer with proven leadership qualities.",
-      date_submitted: Date.new(2012, 01, 01),
-      score: 5
-    },
-    {
-      user_id: 4,
-      reviewer: 1,
-      comments: "Right out of the gate, Mike has made incredible moves as a newly appointed leader. His only improvement would be more cowbell. Not enough of it.",
-      date_submitted: Date.new(2013, 01, 01),
-      score: 4
-    },
-    {
-       user_id: 5,
-       reviewer: 1,
-       comments: "Ehh, you are okay, we will let you stay..... barely",
-       date_submitted: Date.new(2013, 01, 01),
-       score: 2
-     }
-  ]
+  },
+  {
+    user: "jim@metacorp.com",
+    reviewer: 1,
+    comments: "Great worker, great attitude for this newcomer!",
+    date_submitted: Date.new(2013, 01, 01),
+    score: 5
+  },
+  {
+    user: "mike@metacorp.com",
+    reviewer: 1,
+    comments: "Wow, right out of the gate we've been very impressed but unfortunately, our system doesn't allow us to give you a full 5.0 because other ppl have gotten 5.0 ratings.",
+    date_submitted: Date.new(2011, 01, 01),
+    score: 4
+  },
+  {
+    user: "mike@metacorp.com",
+    reviewer: 1,
+    comments: "We highly recommend promotion for this employee! Consistent performer with proven leadership qualities.",
+    date_submitted: Date.new(2012, 01, 01),
+    score: 5
+  },
+  {
+    user: "mike@metacorp.com",
+    reviewer: 1,
+    comments: "Right out of the gate, Mike has made incredible moves as a newly appointed leader. His only improvement would be more cowbell. Not enough of it.",
+    date_submitted: Date.new(2013, 01, 01),
+    score: 4
+  },
+  {
+    user: "ken@metacorp.com",
+    reviewer: 1,
+    comments: "Ehh, you are okay, we will let you stay..... barely",
+    date_submitted: Date.new(2013, 01, 01),
+    score: 2
+  }
+]
 
-    messages = [
-    {
-      receiver_id: 2,
-      creator_id: 5,
-      message: "Your benefits have been updated.",
-      read: false
-    },
-    {
-      receiver_id: 3,
-      creator_id: 4,
-      message: "Please update your profile.",
-      read: false
-    },
-    {
-      receiver_id: 4,
-      creator_id: 3,
-      message: "Welcome to Railsgoat.",
-      read: false
-    },
-    {
-      receiver_id: 5,
-      creator_id: 2,
-      message: "Hello friend.",
-      read: false
-    }
-  ]
+messages = [
+  {
+    creator: "ken@metacorp.com",
+    receiver: "jack@metacorp.com",
+    message: "Your benefits have been updated.",
+    read: false
+  },
+  {
+    creator: "mike@metacorp.com",
+    receiver: "jim@metacorp.com",
+    message: "Please update your profile.",
+    read: false
+  },
+  {
+    creator: "jim@metacorp.com",
+    receiver: "mike@metacorp.com",
+    message: "Welcome to Railsgoat.",
+    read: false
+  },
+  {
+    creator: "jack@metacorp.com",
+    receiver: "ken@metacorp.com",
+    message: "Hello friend.",
+    read: false
+  }
+]
 
-
-users.each do |user_info|
-  user = User.new(user_info.reject { |k| k == :user_id })
-  user.user_id = user_info[:user_id]
-  user.save!
+user_map = users.each_with_object({}) do |user_info, h|
+  h[user_info[:email]] = User.create!(user_info).id
 end
 
 retirements.each do |r|
- ret = Retirement.new(r.reject { |k| k == :user_id})
- ret.user_id = r[:user_id]
- ret.save!
+  r[:user_id] = user_map.fetch(r.delete(:user))
+  Retirement.create!(r)
 end
 
 paid_time_off.each do |pto|
-  ptoff = PaidTimeOff.new(pto.reject { |k| k == :user_id})
-  ptoff.user_id = pto[:user_id]
-  ptoff.save!
+  pto[:user_id] = user_map.fetch(pto.delete(:user))
+  PaidTimeOff.create!(pto)
 end
 
 schedule.each do |event|
-  sched = Schedule.new(event.reject { |k| k == :user_id})
-  sched.user_id = event[:user_id]
-  sched.save!
+  event[:user_id] = user_map.fetch(event.delete(:user))
+  Schedule.create!(event)
 end
 
 performance.each do |perf|
-  p = Performance.new(perf.reject { |k| k == :user_id})
-  p.user_id = perf[:user_id]
-  p.save!
+  perf[:user_id] = user_map.fetch(perf.delete(:user))
+  Performance.create!(perf)
 end
 
 messages.each do |message|
-  m = Message.new(message.reject { |k| k == :creator_id})
-  m.creator_id = message[:creator_id]
-  m.save!
+  message[:creator_id] = user_map.fetch(message.delete(:creator))
+  message[:receiver_id] = user_map.fetch(message.delete(:receiver))
+  Message.create!(message)
 end
 
 work_info.each do |wi|
-  info = WorkInfo.new(wi.reject { |k| k == :user_id })
-  info.user_id = wi[:user_id]
-  info.save!
+  wi[:user_id] = user_map.fetch(wi.delete(:user))
+  WorkInfo.create!(wi)
 end
diff --git a/spec/support/user_fixture.rb b/spec/support/user_fixture.rb
index 40cff53..e89cdda 100644
--- a/spec/support/user_fixture.rb
+++ b/spec/support/user_fixture.rb
@@ -7,12 +7,15 @@ class UserFixture
 
   def self.normal_user
     password = "thi$ 1s cOmplExEr"
-    user = User.new(first_name: "Joe", last_name: "Schmoe",
-                    email: "joe@schmoe.com", password: password, password_confirmation: password)
-    def user.clear_password
-      "thi$ 1s cOmplExEr"
+    User.create!(first_name: "Joe", last_name: "Schmoe", email: "joe@schmoe.com",
+                 password: password, password_confirmation: password).tap do |user|
+      def user.clear_password
+        "thi$ 1s cOmplExEr"
+      end
     end
-    user.save!
-    user
+  end
+
+  def self.admin_user
+    User.where(admin: true).first
   end
 end
diff --git a/spec/vulnerabilities/command_injection_spec.rb b/spec/vulnerabilities/command_injection_spec.rb
index ad8a678..baa17ef 100644
--- a/spec/vulnerabilities/command_injection_spec.rb
+++ b/spec/vulnerabilities/command_injection_spec.rb
@@ -14,7 +14,7 @@ feature "command injection" do
     legit_file = File.join(Rails.root, "public", "data", "legit.txt")
     File.open(legit_file, "w") { |f| f.puts "totes legit" }
 
-    visit "/users/#{@normal_user.user_id}/benefit_forms"
+    visit "/users/#{@normal_user.id}/benefit_forms"
     Dir.mktmpdir do |dir|
       hackety_file = File.join(dir, "test; cd public && cd data && rm -f * ;")
       File.open(hackety_file, "w") { |f| f.print "mwahaha" }
diff --git a/spec/vulnerabilities/insecure_dor_spec.rb b/spec/vulnerabilities/insecure_dor_spec.rb
index c990bef..e0743ea 100644
--- a/spec/vulnerabilities/insecure_dor_spec.rb
+++ b/spec/vulnerabilities/insecure_dor_spec.rb
@@ -10,7 +10,7 @@ feature "insecure direct object reference" do
   scenario "attack one" do
     login(@normal_user)
 
-    visit "/users/#{@normal_user.user_id}/benefit_forms"
+    visit "/users/#{@normal_user.id}/benefit_forms"
     download_url = first(".widget-body a")[:href]
     visit download_url.sub(/name=(.*?)&/, "name=config/database.yml&")
 
@@ -23,11 +23,12 @@ feature "insecure direct object reference" do
 
   scenario "attack two\nTutorial: https://github.com/OWASP/railsgoat/wiki/A4-Insecure-Direct-Object-Reference" do
     login(@normal_user)
+    expect(@normal_user.id).not_to eq(2)
+    another_user = User.find(2)
 
-    expect(@normal_user.user_id).not_to eq(2)
-    visit "/users/2/work_info"
+    visit "/users/#{another_user.id}/work_info"
 
     pending if verifying_fixed?
-    expect(first("td").text).to eq("Joseph Mastey")
+    expect(first("td").text).to eq(another_user.full_name)
   end
 end
diff --git a/spec/vulnerabilities/mass_assignment_spec.rb b/spec/vulnerabilities/mass_assignment_spec.rb
index b1cde1b..2e27350 100644
--- a/spec/vulnerabilities/mass_assignment_spec.rb
+++ b/spec/vulnerabilities/mass_assignment_spec.rb
@@ -12,11 +12,11 @@ feature "mass assignment" do
 
     login(@normal_user)
 
-    params = {user: {admin: "t",
-                        user_id: @normal_user.user_id,
+    params = { user:  { admin: "t",
+                        id: @normal_user.id,
                         password: @normal_user.clear_password,
                         password_confirmation: @normal_user.clear_password}}
-    page.driver.put "/users/#{@normal_user.user_id}.json", params
+    page.driver.put "/users/#{@normal_user.id}.json", params
 
     pending if verifying_fixed?
     expect(@normal_user.reload.admin).to be_truthy
diff --git a/spec/vulnerabilities/sensitive_data_exposure.rb b/spec/vulnerabilities/sensitive_data_exposure.rb
index 3811aef..d1a2007 100644
--- a/spec/vulnerabilities/sensitive_data_exposure.rb
+++ b/spec/vulnerabilities/sensitive_data_exposure.rb
@@ -13,7 +13,7 @@ feature "sensitive data exposure" do
   scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A6-Sensitive-Data-Exposure-Cleartext-Storage-SSNs" do
     login @normal_user
 
-    visit "/users/#{@normal_user.user_id}/work_info"
+    visit "/users/#{@normal_user.id}/work_info"
     pending if verifying_fixed?
     expect(page.source).to include "999-99-9999"
   end
diff --git a/spec/vulnerabilities/sql_injection_spec.rb b/spec/vulnerabilities/sql_injection_spec.rb
index 326a970..79a5270 100644
--- a/spec/vulnerabilities/sql_injection_spec.rb
+++ b/spec/vulnerabilities/sql_injection_spec.rb
@@ -4,8 +4,9 @@ require "spec_helper"
 feature "sql injection" do
   before(:each) do
     UserFixture.reset_all_users
+
     @normal_user = UserFixture.normal_user
-    @admin_user = User.where("admin='t'").first
+    @admin_user = UserFixture.admin_user
   end
 
   scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R4-A1-SQL-Injection-Concatentation" do
@@ -13,14 +14,15 @@ feature "sql injection" do
 
     login(@normal_user)
 
-    visit "/users/#{@normal_user.user_id}/account_settings"
+    visit "/users/#{@normal_user.id}/account_settings"
+
     within("#account_edit") do
       fill_in "Email", with: "joe.admin@schmoe.com"
       fill_in "user_password", with: "H4cketyhack"
       fill_in "user_password_confirmation", with: "H4cketyhack"
 
       # this is a hidden field, so cannot use fill_in to access it.
-      find(:xpath, "//input[@id='user_user_id']", visible: false).set "8' OR admin='t') --"
+      find(:xpath, "//input[@id='user_id']", visible: false).set "8' OR admin='t') --"
     end
     click_on "Submit"
 
diff --git a/spec/vulnerabilities/unvalidated_redirects_spec.rb b/spec/vulnerabilities/unvalidated_redirects_spec.rb
index 8e45a36..c3ff7d7 100644
--- a/spec/vulnerabilities/unvalidated_redirects_spec.rb
+++ b/spec/vulnerabilities/unvalidated_redirects_spec.rb
@@ -9,6 +9,7 @@ feature "unvalidated redirect" do
 
   scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A10-Unvalidated-Redirects-and-Forwards-(redirect_to)", js: true do
     visit "/?url=http://example.com/do/evil/things"
+
     within(".signup") do
       fill_in "email", with: @normal_user.email
       fill_in "password", with: @normal_user.clear_password
@@ -16,6 +17,7 @@ feature "unvalidated redirect" do
     within(".actions") do
       click_on "Login"
     end
+
     pending if verifying_fixed?
     expect(current_url).to eq("http://example.com/do/evil/things")
   end
diff --git a/spec/vulnerabilities/xss_spec.rb b/spec/vulnerabilities/xss_spec.rb
index 3a1ef4d..7a63d5f 100644
--- a/spec/vulnerabilities/xss_spec.rb
+++ b/spec/vulnerabilities/xss_spec.rb
@@ -10,7 +10,7 @@ feature "xss" do
   scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A3-Cross-Site-Scripting", js: true do
     login @normal_user
 
-    visit "/users/#{@normal_user.user_id}/account_settings"
+    visit "/users/#{@normal_user.id}/account_settings"
     within("#account_edit") do
       fill_in "First name", with: "<script>$(function() { $('div input.btn').val('RailsGoat h4x0r3d') } )</script>"
 
@@ -22,7 +22,7 @@ feature "xss" do
 
     sleep(1)
 
-    visit "/users/#{@normal_user.user_id}/account_settings"
+    visit "/users/#{@normal_user.id}/account_settings"
 
     pending if verifying_fixed?
     expect(find("#submit_button").value).to eq("RailsGoat h4x0r3d")