diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0c737482ceb3af23cabedf3606b540ccd431600a..0872ebcfa832b13996de5b216fb446a065bd41bc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,8 @@ The format is based on [keep a changelog](http://keepachangelog.com) and this pr
 ### Fixed
 - Correctly report execution mode in Lua runtime after hooks.
 - Use correct parameter type for creator ID in group update queries.
+- Use correct parameter name for lang tag in group update queries.
+- Do not allow users to send friend requests to the root user.
 
 ## [2.2.1] - 2018-11-20
 ### Added
diff --git a/server/api_friend.go b/server/api_friend.go
index 0292d4d88ded48015f67329004282287a55aac86..41d2c62ad54dc8c54c7c6c79cd32c67ff4209b13 100644
--- a/server/api_friend.go
+++ b/server/api_friend.go
@@ -119,12 +119,15 @@ func (s *ApiServer) AddFriends(ctx context.Context, in *api.AddFriendsRequest) (
 		if userID.String() == id {
 			return nil, status.Error(codes.InvalidArgument, "Cannot add self as friend.")
 		}
-		if _, err := uuid.FromString(id); err != nil {
+		if uid, err := uuid.FromString(id); err != nil || uid == uuid.Nil {
 			return nil, status.Error(codes.InvalidArgument, "Invalid user ID '"+id+"'.")
 		}
 	}
 
 	for _, u := range in.GetUsernames() {
+		if u == "" {
+			return nil, status.Error(codes.InvalidArgument, "Username must not be empty.")
+		}
 		if username == u {
 			return nil, status.Error(codes.InvalidArgument, "Cannot add self as friend.")
 		}
@@ -206,13 +209,16 @@ func (s *ApiServer) DeleteFriends(ctx context.Context, in *api.DeleteFriendsRequ
 		if userID.String() == id {
 			return nil, status.Error(codes.InvalidArgument, "Cannot delete self.")
 		}
-		if _, err := uuid.FromString(id); err != nil {
+		if uid, err := uuid.FromString(id); err != nil || uid == uuid.Nil {
 			return nil, status.Error(codes.InvalidArgument, "Invalid user ID '"+id+"'.")
 		}
 	}
 
 	username := ctx.Value(ctxUsernameKey{}).(string)
 	for _, u := range in.GetUsernames() {
+		if u == "" {
+			return nil, status.Error(codes.InvalidArgument, "Username must not be empty.")
+		}
 		if username == u {
 			return nil, status.Error(codes.InvalidArgument, "Cannot delete self.")
 		}
@@ -295,13 +301,16 @@ func (s *ApiServer) BlockFriends(ctx context.Context, in *api.BlockFriendsReques
 		if userID.String() == id {
 			return nil, status.Error(codes.InvalidArgument, "Cannot block self.")
 		}
-		if _, err := uuid.FromString(id); err != nil {
+		if uid, err := uuid.FromString(id); err != nil || uid == uuid.Nil {
 			return nil, status.Error(codes.InvalidArgument, "Invalid user ID '"+id+"'.")
 		}
 	}
 
 	username := ctx.Value(ctxUsernameKey{}).(string)
 	for _, u := range in.GetUsernames() {
+		if u == "" {
+			return nil, status.Error(codes.InvalidArgument, "Username must not be empty.")
+		}
 		if username == u {
 			return nil, status.Error(codes.InvalidArgument, "Cannot block self.")
 		}