diff --git a/src/load-config.js b/src/load-config.js
index 0df11b227..12b3beac0 100644
--- a/src/load-config.js
+++ b/src/load-config.js
@@ -108,7 +108,13 @@ const finalConfig = {
     ? process.env.ACTUAL_LOGIN_METHOD.toLowerCase()
     : config.loginMethod,
   multiuser: process.env.ACTUAL_MULTIUSER
-    ? process.env.ACTUAL_MULTIUSER.toLowerCase() === 'true'
+    ? (() => {
+        const value = process.env.ACTUAL_MULTIUSER.toLowerCase();
+        if (!['true', 'false'].includes(value)) {
+          throw new Error('ACTUAL_MULTIUSER must be either "true" or "false"');
+        }
+        return value === 'true';
+      })()
     : config.multiuser,
   trustedProxies: process.env.ACTUAL_TRUSTED_PROXIES
     ? process.env.ACTUAL_TRUSTED_PROXIES.split(',').map((q) => q.trim())
diff --git a/src/services/user-service.js b/src/services/user-service.js
index 39da767ac..34a05bd06 100644
--- a/src/services/user-service.js
+++ b/src/services/user-service.js
@@ -1,24 +1,33 @@
 import getAccountDb from '../account-db.js';
 
 export function getUserByUsername(userName) {
+  if (!userName || typeof userName !== 'string') {
+    return null;
+  }
   const { id } =
     getAccountDb().first('SELECT id FROM users WHERE user_name = ?', [
       userName,
     ]) || {};
-  return id;
+  return id || null;
 }
 
 export function getUserById(userId) {
+  if (!userId) {
+    return null;
+  }
   const { id } =
-    getAccountDb().first('SELECT id FROM users WHERE id = ?', [userId]) || {};
-  return id;
+    getAccountDb().first('SELECT * FROM users WHERE id = ?', [userId]) || {};
+  return id || null;
 }
 
 export function getFileById(fileId) {
+  if (!fileId) {
+    return null;
+  }
   const { id } =
-    getAccountDb().first('SELECT id FROM files WHERE files.id = ?', [fileId]) ||
+    getAccountDb().first('SELECT * FROM files WHERE files.id = ?', [fileId]) ||
     {};
-  return id;
+  return id || null;
 }
 
 export function validateRole(roleId) {
@@ -173,14 +182,20 @@ export function deleteUserAccessByFileId(userIds, fileId) {
   const CHUNK_SIZE = 999;
   let totalChanges = 0;
 
-  for (let i = 0; i < userIds.length; i += CHUNK_SIZE) {
-    const chunk = userIds.slice(i, i + CHUNK_SIZE);
-    const placeholders = chunk.map(() => '?').join(',');
+  try {
+    getAccountDb().transaction(() => {
+      for (let i = 0; i < userIds.length; i += CHUNK_SIZE) {
+        const chunk = userIds.slice(i, i + CHUNK_SIZE);
+        const placeholders = chunk.map(() => '?').join(',');
 
-    const sql = `DELETE FROM user_access WHERE user_id IN (${placeholders}) AND file_id = ?`;
+        const sql = `DELETE FROM user_access WHERE user_id IN (${placeholders}) AND file_id = ?`;
 
-    const result = getAccountDb().mutate(sql, [...chunk, fileId]);
-    totalChanges += result.changes;
+        const result = getAccountDb().mutate(sql, [...chunk, fileId]);
+        totalChanges += result.changes;
+      }
+    });
+  } catch (error) {
+    throw new Error(`Failed to delete user access: ${error.message}`);
   }
 
   return totalChanges;