From e1dc62c2e30a8f8ab4f4fe50a502a81eb0720d41 Mon Sep 17 00:00:00 2001
From: Benedikt Kulmann <benedikt@kulmann.biz>
Date: Tue, 25 Aug 2020 12:37:17 +0200
Subject: [PATCH] Clear accountUUID if it's still `me` after validation

---
 pkg/service/v0/service.go      | 4 ++++
 pkg/service/v0/service_test.go | 8 +++++++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/pkg/service/v0/service.go b/pkg/service/v0/service.go
index 1c278038bc..8101201349 100644
--- a/pkg/service/v0/service.go
+++ b/pkg/service/v0/service.go
@@ -328,6 +328,10 @@ func getValidatedAccountUUID(c context.Context, accountUUID string) string {
 			accountUUID = ownAccountUUID
 		}
 	}
+	if accountUUID == "me" {
+		// no matter what happens above, an accountUUID of `me` must not be passed on. Clear it instead.
+		accountUUID = ""
+	}
 	return accountUUID
 }
 
diff --git a/pkg/service/v0/service_test.go b/pkg/service/v0/service_test.go
index a1c5ca2dbb..a8eda07580 100644
--- a/pkg/service/v0/service_test.go
+++ b/pkg/service/v0/service_test.go
@@ -26,11 +26,17 @@ var (
 			expect:      ctxWithUUID.Value(middleware.UUIDKey).(string),
 		},
 		{
-			name:        "context without UUID; identifier = 'me'",
+			name:        "context with empty UUID; identifier = 'me'",
 			ctx:         ctxWithEmptyUUID,
 			accountUUID: "me",
 			expect:      "",
 		},
+		{
+			name:        "context without UUID; identifier = 'me'",
+			ctx:         emptyCtx,
+			accountUUID: "me",
+			expect:      "",
+		},
 		{
 			name:        "context with UUID; identifier not 'me'",
 			ctx:         ctxWithUUID,