SECURITY: Prevent users from modifying custom fields

app/controllers/users_controller.rb

@@ -97,13 +97,13 @@ class UsersController < ApplicationController
   def update
     user = fetch_user_from_params
     guardian.ensure_can_edit!(user)
-    attributes = user_params.merge!(custom_fields: params[:custom_fields])
+    attributes = user_params
 
     # We can't update the username via this route. Use the username route
     attributes.delete(:username)
 
     if params[:user_fields].present?
-      attributes[:custom_fields] = {} unless params[:custom_fields].present?
+      attributes[:custom_fields] = {}
 
       fields = UserField.all
       fields = fields.where(editable: true) unless current_user.staff?

spec/requests/users_controller_spec.rb

@@ -1423,7 +1423,6 @@ describe UsersController do
 
           put "/u/#{user.username}.json", params: {
             name: 'Jim Tom',
-            custom_fields: { test: :it },
             muted_usernames: "#{user2.username},#{user3.username}",
             watched_tags: "#{tags[0].name},#{tags[1].name}"
           }
@@ -1433,7 +1432,7 @@ describe UsersController do
           user.reload
 
           expect(user.name).to eq 'Jim Tom'
-          expect(user.custom_fields['test']).to eq 'it'
+
           expect(user.muted_users.pluck(:username).sort).to eq [user2.username, user3.username].sort
           expect(TagUser.where(
             user: user,
@@ -1516,6 +1515,15 @@ describe UsersController do
               expect(user.user_fields[user_field.id.to_s]).to be_blank
             end
           end
+
+          context "custom_field" do
+            it "does not update the custom field" do
+              put "/u/#{user.username}.json", params: { custom_fields: { test: :it } }
+
+              expect(response.status).to eq(200)
+              expect(user.custom_fields["test"]).to be_blank
+            end
+          end
         end
 
         it 'returns user JSON' do