diff --git a/app/api/attendees.py b/app/api/attendees.py
index 4982748c74..d42f18c3a2 100644
--- a/app/api/attendees.py
+++ b/app/api/attendees.py
@@ -170,6 +170,21 @@ def before_update_object(self, obj, data, kwargs):
 #         if not has_access('is_registrar', event_id=obj.event_id):
 #         raise ForbiddenException({'source': 'User'}, 'You are not authorized to access this.')
 
+        if 'ticket' in data:
+            user = safe_query(self, User, 'id', current_identity.id, 'user_id')
+            ticket = db.session.query(Ticket).filter_by(
+                id=int(data['ticket']), deleted_at=None
+                ).first()
+            if ticket is None:
+                raise UnprocessableEntity(
+                    {'pointer': '/data/relationships/ticket'}, "Invalid Ticket"
+                )
+            if not user.is_verified and ticket.price == 0:
+                raise UnprocessableEntity(
+                    {'pointer': '/data/relationships/ticket'},
+                    "Unverified user cannot buy free tickets"
+                )
+
         if 'device_name_checkin' in data:
             if 'checkin_times' not in data or data['checkin_times'] is None:
                 raise UnprocessableEntity(