diff --git a/src/socket.io/flags.js b/src/socket.io/flags.js
index 18294b2a8c..481fae3936 100644
--- a/src/socket.io/flags.js
+++ b/src/socket.io/flags.js
@@ -22,13 +22,15 @@ SocketFlags.update = async function (socket, data) {
 	}
 
 	// Old socket method took input directly from .serializeArray(), v3 expects fully-formed obj.
-	let payload = {};
+	let payload = {
+		flagId: data.flagId,
+	};
 	payload = data.data.reduce((memo, cur) => {
 		memo[cur.name] = cur.value;
 		return memo;
 	}, payload);
 
-	return api.flags.update(socket, payload);
+	return await api.flags.update(socket, payload);
 };
 
 SocketFlags.appendNote = async function (socket, data) {
diff --git a/test/flags.js b/test/flags.js
index 575f4139a0..071e0fd6c5 100644
--- a/test/flags.js
+++ b/test/flags.js
@@ -1,12 +1,16 @@
 'use strict';
 
 const assert = require('assert');
+const nconf = require('nconf');
 const async = require('async');
+const request = require('request-promise-native');
 const util = require('util');
 
 const sleep = util.promisify(setTimeout);
 
 const db = require('./mocks/databasemock');
+const helpers = require('./helpers');
+
 const Flags = require('../src/flags');
 const Categories = require('../src/categories');
 const Topics = require('../src/topics');
@@ -697,34 +701,47 @@ describe('Flags', () => {
 		const SocketFlags = require('../src/socket.io/flags');
 		let pid;
 		let tid;
-		before((done) => {
-			Topics.post({
+		let jar;
+		let csrfToken;
+		before(async () => {
+			const login = util.promisify(helpers.loginUser);
+			jar = await login('testUser2', 'abcdef');
+			const config = await request({
+				url: `${nconf.get('url')}/api/config`,
+				json: true,
+				jar: jar,
+			});
+			csrfToken = config.csrf_token;
+
+			const result = await Topics.post({
 				cid: 1,
 				uid: 1,
 				title: 'Another topic',
 				content: 'This is flaggable content',
-			}, (err, result) => {
-				pid = result.postData.pid;
-				tid = result.topicData.tid;
-				done(err);
 			});
+			pid = result.postData.pid;
+			tid = result.topicData.tid;
 		});
 
 		describe('.create()', () => {
-			it('should create a flag with no errors', (done) => {
-				SocketFlags.create({ uid: 2 }, {
-					type: 'post',
-					id: pid,
-					reason: 'foobar',
-				}, (err) => {
-					assert.ifError(err);
-
-					Flags.exists('post', pid, 1, (err, exists) => {
-						assert.ifError(err);
-						assert(true);
-						done();
-					});
+			it('should create a flag with no errors', async () => {
+				await request({
+					method: 'post',
+					uri: `${nconf.get('url')}/api/v3/flags`,
+					jar,
+					headers: {
+						'x-csrf-token': csrfToken,
+					},
+					body: {
+						type: 'post',
+						id: pid,
+						reason: 'foobar',
+					},
+					json: true,
 				});
+
+				const exists = await Flags.exists('post', pid, 2);
+				assert(exists);
 			});
 
 			it('should escape flag reason', async () => {
@@ -734,13 +751,22 @@ describe('Flags', () => {
 					content: 'This is flaggable content',
 				});
 
-				const flagId = await SocketFlags.create({ uid: 2 }, {
-					type: 'post',
-					id: postData.pid,
-					reason: '"<script>alert(\'ok\');</script>',
+				const { response } = await request({
+					method: 'post',
+					uri: `${nconf.get('url')}/api/v3/flags`,
+					jar,
+					headers: {
+						'x-csrf-token': csrfToken,
+					},
+					body: {
+						type: 'post',
+						id: postData.pid,
+						reason: '"<script>alert(\'ok\');</script>',
+					},
+					json: true,
 				});
 
-				const flagData = await Flags.get(flagId);
+				const flagData = await Flags.get(response.flagId);
 				assert.strictEqual(flagData.reports[0].value, '&quot;&lt;script&gt;alert(&#x27;ok&#x27;);&lt;&#x2F;script&gt;');
 			});
 
@@ -755,29 +781,59 @@ describe('Flags', () => {
 					title: 'private topic',
 					content: 'private post',
 				});
-				try {
-					await SocketFlags.create({ uid: uid3 }, { type: 'post', id: result.postData.pid, reason: 'foobar' });
-				} catch (err) {
-					assert.equal(err.message, '[[error:no-privileges]]');
-				}
+				const jar3 = await util.promisify(helpers.loginUser)('unprivileged', 'abcdef');
+				const config = await request({
+					url: `${nconf.get('url')}/api/config`,
+					json: true,
+					jar: jar3,
+				});
+				const csrfToken = config.csrf_token;
+				const { statusCode, body } = await request({
+					method: 'post',
+					uri: `${nconf.get('url')}/api/v3/flags`,
+					jar: jar3,
+					headers: {
+						'x-csrf-token': csrfToken,
+					},
+					body: {
+						type: 'post',
+						id: result.postData.pid,
+						reason: 'foobar',
+					},
+					json: true,
+					simple: false,
+					resolveWithFullResponse: true,
+				});
+				assert.strictEqual(statusCode, 403);
+				assert.deepStrictEqual(body, {
+					status: {
+						code: 'forbidden',
+						message: 'You do not have enough privileges for this action.',
+					},
+					response: {},
+				});
 			});
 		});
 
 		describe('.update()', () => {
-			it('should update a flag\'s properties', (done) => {
-				SocketFlags.update({ uid: 2 }, {
-					flagId: 2,
-					data: [{
-						name: 'state',
-						value: 'wip',
-					}],
-				}, (err, history) => {
-					assert.ifError(err);
-					assert(Array.isArray(history));
-					assert(history[0].fields.hasOwnProperty('state'));
-					assert.strictEqual('[[flags:state-wip]]', history[0].fields.state);
-					done();
+			it('should update a flag\'s properties', async () => {
+				const { response } = await request({
+					method: 'put',
+					uri: `${nconf.get('url')}/api/v3/flags/2`,
+					jar,
+					headers: {
+						'x-csrf-token': csrfToken,
+					},
+					body: {
+						state: 'wip',
+					},
+					json: true,
 				});
+
+				const { history } = response;
+				assert(Array.isArray(history));
+				assert(history[0].fields.hasOwnProperty('state'));
+				assert.strictEqual('[[flags:state-wip]]', history[0].fields.state);
 			});
 		});