fix: dont allow core user fields to be used as custom fields

public/language/en-GB/error.json

@@ -213,6 +213,7 @@
 	"custom-user-field-select-value-invalid": "Custom field selected option is invalid, %1",
 	"custom-user-field-invalid-link": "Custom field link is invalid, %1",
 	"custom-user-field-invalid-number": "Custom field number is invalid, %1",
+	"invalid-custom-user-field": "Invalid custom user field, \"%1\" is already used by NodeBB",
 	"post-already-flagged": "You have already flagged this post",
 	"user-already-flagged": "You have already flagged this user",
 	"post-flagged-too-many-times": "This post has been flagged by others already",

public/src/admin/manage/users/custom-fields.js

@@ -37,7 +37,7 @@ define('admin/manage/user/custom-fields', [
 			});
 			socket.emit('admin.user.saveCustomFields', fields, function (err) {
 				if (err) {
-					alerts.error(err);
+					return alerts.error(err);
 				}
 				alerts.success('[[admin/manage/user-custom-fields:custom-fields-saved]]');
 			});

src/socket.io/admin/user.js

@@ -189,6 +189,12 @@ User.exportUsersCSV = async function (socket, data) {
 };
 
 User.saveCustomFields = async function (socket, fields) {
+	const userFields = user.getUserFieldWhitelist();
+	for (const field of fields) {
+		if (userFields.includes(field.key) || userFields.includes(field.key.toLowerCase())) {
+			throw new Error(`[[error:invalid-custom-user-field, ${field.key}]]`);
+		}
+	}
 	const keys = await db.getSortedSetRange('user-custom-fields', 0, -1);
 	await db.delete('user-custom-fields');
 	await db.deleteAll(keys.map(k => `user-custom-field:${k}`));

src/user/data.js

@@ -52,6 +52,10 @@ module.exports = function (User) {
 		customFieldWhiteList = await db.getSortedSetRange('user-custom-fields', 0, -1);
 	};
 
+	User.getUserFieldWhitelist = function () {
+		return fieldWhitelist.slice();
+	};
+
 	User.getUsersFields = async function (uids, fields) {
 		if (!Array.isArray(uids) || !uids.length) {
 			return [];