From dad505b665717b38cededc4bfe43cd2a147a786e Mon Sep 17 00:00:00 2001
From: Andrei Mihu <andrei@heroiclabs.com>
Date: Wed, 5 Dec 2018 19:01:49 +0000
Subject: [PATCH] Do not allow users to send friend requests to the root user.

---
 CHANGELOG.md         |  2 ++
 server/api_friend.go | 15 ++++++++++++---
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0c737482c..0872ebcfa 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,8 @@ The format is based on [keep a changelog](http://keepachangelog.com) and this pr
 ### Fixed
 - Correctly report execution mode in Lua runtime after hooks.
 - Use correct parameter type for creator ID in group update queries.
+- Use correct parameter name for lang tag in group update queries.
+- Do not allow users to send friend requests to the root user.
 
 ## [2.2.1] - 2018-11-20
 ### Added
diff --git a/server/api_friend.go b/server/api_friend.go
index 0292d4d88..41d2c62ad 100644
--- a/server/api_friend.go
+++ b/server/api_friend.go
@@ -119,12 +119,15 @@ func (s *ApiServer) AddFriends(ctx context.Context, in *api.AddFriendsRequest) (
 		if userID.String() == id {
 			return nil, status.Error(codes.InvalidArgument, "Cannot add self as friend.")
 		}
-		if _, err := uuid.FromString(id); err != nil {
+		if uid, err := uuid.FromString(id); err != nil || uid == uuid.Nil {
 			return nil, status.Error(codes.InvalidArgument, "Invalid user ID '"+id+"'.")
 		}
 	}
 
 	for _, u := range in.GetUsernames() {
+		if u == "" {
+			return nil, status.Error(codes.InvalidArgument, "Username must not be empty.")
+		}
 		if username == u {
 			return nil, status.Error(codes.InvalidArgument, "Cannot add self as friend.")
 		}
@@ -206,13 +209,16 @@ func (s *ApiServer) DeleteFriends(ctx context.Context, in *api.DeleteFriendsRequ
 		if userID.String() == id {
 			return nil, status.Error(codes.InvalidArgument, "Cannot delete self.")
 		}
-		if _, err := uuid.FromString(id); err != nil {
+		if uid, err := uuid.FromString(id); err != nil || uid == uuid.Nil {
 			return nil, status.Error(codes.InvalidArgument, "Invalid user ID '"+id+"'.")
 		}
 	}
 
 	username := ctx.Value(ctxUsernameKey{}).(string)
 	for _, u := range in.GetUsernames() {
+		if u == "" {
+			return nil, status.Error(codes.InvalidArgument, "Username must not be empty.")
+		}
 		if username == u {
 			return nil, status.Error(codes.InvalidArgument, "Cannot delete self.")
 		}
@@ -295,13 +301,16 @@ func (s *ApiServer) BlockFriends(ctx context.Context, in *api.BlockFriendsReques
 		if userID.String() == id {
 			return nil, status.Error(codes.InvalidArgument, "Cannot block self.")
 		}
-		if _, err := uuid.FromString(id); err != nil {
+		if uid, err := uuid.FromString(id); err != nil || uid == uuid.Nil {
 			return nil, status.Error(codes.InvalidArgument, "Invalid user ID '"+id+"'.")
 		}
 	}
 
 	username := ctx.Value(ctxUsernameKey{}).(string)
 	for _, u := range in.GetUsernames() {
+		if u == "" {
+			return nil, status.Error(codes.InvalidArgument, "Username must not be empty.")
+		}
 		if username == u {
 			return nil, status.Error(codes.InvalidArgument, "Cannot block self.")
 		}
-- 
GitLab