diff --git a/routes/routes.js b/routes/routes.js
index 2bc5e7c..ae124d2 100644
--- a/routes/routes.js
+++ b/routes/routes.js
@@ -41,8 +41,8 @@ router.delete('/comments/:id', authenticatedAdmin, commentController.deleteComme
 
 router.get('/users/top', authenticated, userController.getTopUser)
 router.get('/users/:id', authenticated, userController.getUser)
-// router.get('/users/:id/edit', authenticated, userController.editUser)
-// router.put('/users/:id', authenticated, upload.single('image'), userController.putUser)
+router.get('/users/:id/edit', authenticated, userController.editUser)
+router.put('/users/:id', authenticated, upload.single('image'), userController.putUser)
 router.post('/favorite/:restaurantId', authenticated, userController.addFavorite)
 router.delete('/favorite/:restaurantId', authenticated, userController.removeFavorite)
 router.post('/like/:restaurantId', authenticated, userController.addLike)
@@ -61,7 +61,7 @@ router.put('/admin/restaurants/:id', authenticatedAdmin, upload.single('image'),
 router.delete('/admin/restaurants/:id', authenticatedAdmin, adminController.deleteRestaurant)
 
 router.get('/admin/users', authenticatedAdmin, adminController.getUsers)
-// router.put('/admin/users/:id', authenticatedAdmin, adminController.putUsers)
+router.put('/admin/users/:id', authenticatedAdmin, adminController.putUsers)
 
 router.get('/admin/categories', authenticatedAdmin, categoryController.getCategories)
 router.post('/admin/categories', authenticatedAdmin, categoryController.postCategory)
diff --git a/tests/A17.test.js b/tests/A17.test.js
new file mode 100644
index 0000000..94c3238
--- /dev/null
+++ b/tests/A17.test.js
@@ -0,0 +1,82 @@
+const assert = require('assert')
+const moment = require('moment')
+const chai = require('chai')
+const request = require('supertest')
+const sinon = require('sinon')
+const should = chai.should()
+const { expect } = require('chai')
+
+const app = require('../app')
+const routes = require('../routes/index')
+const db = require('../models')
+const helpers = require('../_helpers');
+
+describe('# A17: 使用者權限管理', function() {
+    
+  context('# [顯示使用者清單]', () => {
+    before(async() => {
+      this.ensureAuthenticated = sinon.stub(
+        helpers, 'ensureAuthenticated'
+      ).returns(true);
+      this.getUser = sinon.stub(
+        helpers, 'getUser'
+      ).returns({id: 1, isAdmin: true});
+
+      await db.User.destroy({where: {},truncate: true})
+      await db.User.create({name: 'User1'})
+    })
+
+    it(" GET /admin/users ", (done) => {
+        request(app)
+          .get('/admin/users')
+          .end(function(err, res) {
+            res.text.should.include('User1')
+            done()
+        });
+    });
+
+    after(async () => {
+      this.ensureAuthenticated.restore();
+      this.getUser.restore();
+      await db.User.destroy({where: {},truncate: true})
+    })
+
+  })
+
+  context('# [修改使用者權限]', () => {
+    before(async() => {
+      this.ensureAuthenticated = sinon.stub(
+        helpers, 'ensureAuthenticated'
+      ).returns(true);
+      this.getUser = sinon.stub(
+        helpers, 'getUser'
+      ).returns({id: 1, isAdmin: true});
+
+      await db.User.destroy({where: {},truncate: true})
+      await db.User.create({name: 'User1', isAdmin: false})
+    })
+
+    it(" PUT /admin/users/:id ", (done) => {
+        db.User.findByPk(1).then(user => {
+          user.isAdmin.should.equal(false);
+          request(app)
+            .put('/admin/users/1')
+            .send({isAdmin: 'true'})
+            .end(function(err, res) {
+              db.User.findByPk(1).then(user => {
+                user.name.should.equal('User1');
+                user.isAdmin.should.equal(true);
+                return done();
+              })
+          });
+        })
+    });
+
+    after(async () => {
+      this.ensureAuthenticated.restore();
+      this.getUser.restore();
+      await db.User.destroy({where: {},truncate: true})
+    })
+
+  })
+})
\ No newline at end of file
diff --git a/tests/A19.test.js b/tests/A19.test.js
new file mode 100644
index 0000000..23e9747
--- /dev/null
+++ b/tests/A19.test.js
@@ -0,0 +1,114 @@
+const assert = require('assert')
+const moment = require('moment')
+const chai = require('chai')
+const request = require('supertest')
+const sinon = require('sinon')
+const should = chai.should()
+const { expect } = require('chai')
+
+const app = require('../app')
+const routes = require('../routes/index')
+const db = require('../models')
+const helpers = require('../_helpers');
+
+describe('# A19: 建立 User Profile', function() {
+    
+  context('# [瀏覽 Profile]', () => {
+    before(async() => {
+      this.ensureAuthenticated = sinon.stub(
+        helpers, 'ensureAuthenticated'
+      ).returns(true);
+      this.getUser = sinon.stub(
+        helpers, 'getUser'
+      ).returns({id: 1, Followings: []});
+
+      await db.User.destroy({where: {},truncate: true})
+      await db.User.create({name: 'User1'})
+    })
+
+    it(" GET /users/:id ", (done) => {
+        request(app)
+          .get('/users/1')
+          .end(function(err, res) {
+            res.text.should.include('User1')
+            done()
+        });
+    });
+
+    after(async () => {
+      this.ensureAuthenticated.restore();
+      this.getUser.restore();
+      await db.User.destroy({where: {},truncate: true})
+    })
+
+  })
+
+  context('# [瀏覽編輯 Profile 頁面]', () => {
+    before(async() => {
+      this.ensureAuthenticated = sinon.stub(
+        helpers, 'ensureAuthenticated'
+      ).returns(true);
+      this.getUser = sinon.stub(
+        helpers, 'getUser'
+      ).returns({id: 1});
+
+      await db.User.destroy({where: {},truncate: true})
+      await db.User.create({name: 'User1'})
+    })
+
+    it(" GET /users/:id/edit ", (done) => {
+        db.User.findByPk(1).then(user => {
+          user.isAdmin.should.equal(false);
+          request(app)
+            .get('/users/1/edit')
+            .end(function(err, res) {
+              db.User.findByPk(1).then(user => {
+                user.name.should.equal('User1');
+                return done();
+              })
+          });
+        })
+    });
+
+    after(async () => {
+      this.ensureAuthenticated.restore();
+      this.getUser.restore();
+      await db.User.destroy({where: {},truncate: true})
+    })
+
+  })
+
+  context('# [編輯 Profile]', () => {
+    before(async() => {
+      this.ensureAuthenticated = sinon.stub(
+        helpers, 'ensureAuthenticated'
+      ).returns(true);
+      this.getUser = sinon.stub(
+        helpers, 'getUser'
+      ).returns({id: 1});
+
+      await db.User.destroy({where: {},truncate: true})
+      await db.User.create({name: 'User1'})
+    })
+
+    it(" PUT /users/:id ", (done) => {
+      request(app)
+        .put('/users/1')
+        .send({name: 'User1User1'})
+        .end(function(err, res) {
+          db.User.findByPk(1).then(user => {
+            user.name.should.equal('User1User1');
+            return done();
+          })
+      });
+    });
+
+    after(async () => {
+      this.ensureAuthenticated.restore();
+      this.getUser.restore();
+      await db.User.destroy({where: {},truncate: true})
+    })
+
+  })
+
+})
\ No newline at end of file