diff --git a/packages/worker/src/api/controllers/admin/users.js b/packages/worker/src/api/controllers/admin/users.js
index 68198223a2..82ca0df515 100644
--- a/packages/worker/src/api/controllers/admin/users.js
+++ b/packages/worker/src/api/controllers/admin/users.js
@@ -102,6 +102,9 @@ exports.self = async ctx => {
   if (ctx.request.body.password) {
     ctx.request.body.password = await hash(ctx.request.body.password)
   }
+  // don't allow sending up an ID/Rev, always use the existing one
+  delete ctx.request.body._id
+  delete ctx.request.body._rev
   const response = await db.put({
     ...user,
     ...ctx.request.body,
diff --git a/packages/worker/src/api/routes/admin/users.js b/packages/worker/src/api/routes/admin/users.js
index 1f6aebb191..b3581b7e19 100644
--- a/packages/worker/src/api/routes/admin/users.js
+++ b/packages/worker/src/api/routes/admin/users.js
@@ -7,10 +7,10 @@ const router = Router()
 
 function buildUserSaveValidation(isSelf = false) {
   let schema = {
-    email: Joi.string(),
+    email: Joi.string().allow(null, ""),
     password: Joi.string().allow(null, ""),
-    firstName: Joi.string(),
-    lastName: Joi.string(),
+    firstName: Joi.string().allow(null, ""),
+    lastName: Joi.string().allow(null, ""),
     builder: Joi.object({
       global: Joi.boolean().optional(),
       apps: Joi.array().optional(),