1 files changed, 8 insertions, 7 deletions

diff --git a/lib/api.php b/lib/api.php
index e2ea87b43..539aac4af 100644
--- a/lib/api.php
+++ b/lib/api.php
@@ -1142,15 +1142,10 @@ class ApiAction extends Action
 
     function getTargetUser($id)
     {
-        if (empty($id)) {
+        if (!preg_match('/^[a-zA-Z0-9]+$/', $id)) {
 
             // Twitter supports these other ways of passing the user ID
-            if (is_numeric($this->arg('id'))) {
-                return User::staticGet($this->arg('id'));
-            } else if ($this->arg('id')) {
-                $nickname = common_canonical_nickname($this->arg('id'));
-                return User::staticGet('nickname', $nickname);
-            } else if ($this->arg('user_id')) {
+            if ($this->arg('user_id')) {
                 // This is to ensure that a non-numeric user_id still
                 // overrides screen_name even if it doesn't get used
                 if (is_numeric($this->arg('user_id'))) {
@@ -1159,6 +1154,12 @@ class ApiAction extends Action
             } else if ($this->arg('screen_name')) {
                 $nickname = common_canonical_nickname($this->arg('screen_name'));
                 return User::staticGet('nickname', $nickname);
+
+            } else if (is_numeric($this->arg('id'))) {
+                return User::staticGet($this->arg('id'));
+            } else if ($this->arg('id')) {
+                $nickname = common_canonical_nickname($this->arg('id'));
+                return User::staticGet('nickname', $nickname);
             } else {
                 // Fall back to trying the currently authenticated user
                 return $this->auth_user;