https://github.com/discourse/discourse/blob/master/app/controllers/application_controller.rb#L631
The above code is called on all page requests to discourse. The problem arises that guardian is a lazy-loaded memoized variable which at this point during login in the call is just a representation of an Anonymous user because the user login has not yet been attempted and thus failed or succeeded. When the success login response is rendered the memoized variable for guardian is still used and thus returns policies based on an anonymous user and not the policies for the user we just logged in as.
The result of a login serialises the current user to json and conditionally adds fields based on the policies returned by guardian. One of the policies is can_edit of which an anonymous user can not edit the current users record, however the actual user logged in should be able to edit their own user account and if the guardian variable is replaced with an instance of the currently logged in user then the json returns can_edit to be true as it should.
I am more than happy to PR a fix but theres a couple of ways to fix this, and I wanted to know if there was a deeper less hacky way to fix this deeper in the depths of Discourse short of just adding @guardian = nil to def log_in 
Current workaround is to set the environment variable DISCOURSE_LOAD_MINI_PROFILER=false