FIX: Enforce max length for custom user fields

app/assets/javascripts/discourse/templates/components/user-fields/text.hbs

@@ -1,6 +1,6 @@
 <label>{{{field.name}}}</label>
 <div class='controls'>
-  {{input value=value}}
+  {{input value=value maxlength=site.user_field_max_length}}
   {{#if field.required}}<span class='required'>*</span>{{/if}}
   <p>{{{field.description}}}</p>
 </div>

app/controllers/users_controller.rb

@@ -70,6 +70,7 @@ class UsersController < ApplicationController
       UserField.where(editable: true).each do |f|
         val = params[:user_fields][f.id.to_s]
         val = nil if val === "false"
+        val = val[0...UserField.max_length] if val
 
         return render_json_error(I18n.t("login.missing_user_field")) if val.blank? && f.required?
         params[:custom_fields]["user_field_#{f.id}"] = val
@@ -221,7 +222,7 @@ class UsersController < ApplicationController
         if field_val.blank?
           return fail_with("login.missing_user_field") if f.required?
         else
-          fields["user_field_#{f.id}"] = field_val
+          fields["user_field_#{f.id}"] = field_val[0...UserField.max_length]
         end
       end
 

app/models/user_field.rb

@@ -1,5 +1,9 @@
 class UserField < ActiveRecord::Base
   validates_presence_of :name, :description, :field_type
+
+  def self.max_length
+    2048
+  end
 end
 
 # == Schema Information

app/serializers/site_serializer.rb

@@ -10,7 +10,8 @@ class SiteSerializer < ApplicationSerializer
              :anonymous_top_menu_items,
              :uncategorized_category_id, # this is hidden so putting it here
              :is_readonly,
-             :disabled_plugins
+             :disabled_plugins,
+             :user_field_max_length
 
   has_many :categories, serializer: BasicCategorySerializer, embed: :objects
   has_many :post_action_types, embed: :objects
@@ -19,7 +20,6 @@ class SiteSerializer < ApplicationSerializer
   has_many :archetypes, embed: :objects, serializer: ArchetypeSerializer
   has_many :user_fields, embed: :objects, serialzer: UserFieldSerializer
 
-
   def default_archetype
     Archetype.default
   end
@@ -56,4 +56,8 @@ class SiteSerializer < ApplicationSerializer
     Discourse.disabled_plugin_names
   end
 
+  def user_field_max_length
+    UserField.max_length
+  end
+
 end

spec/controllers/users_controller_spec.rb

@@ -596,6 +596,15 @@ describe UsersController do
           expect(inserted.custom_fields["user_field_#{optional_field.id}"]).to eq('value3')
         end
 
+        it "trims excessively long fields" do
+          create_params[:user_fields][optional_field.id.to_s] = ('x' * 3000)
+          xhr :post, :create, create_params.merge(create_params)
+          expect(response).to be_success
+          inserted = User.where(email: @user.email).first
+
+          val = inserted.custom_fields["user_field_#{optional_field.id}"]
+          expect(val.length).to eq(UserField.max_length)
+        end
       end
     end
 
@@ -984,6 +993,11 @@ describe UsersController do
               expect(response).not_to be_success
               expect(user.user_fields[user_field.id.to_s]).not_to eq('happy')
             end
+
+            it "trims excessively large fields" do
+              put :update, username: user.username, name: 'Jim Tom', user_fields: { user_field.id.to_s => ('x' * 3000) }
+              expect(user.user_fields[user_field.id.to_s].size).to eq(UserField.max_length)
+            end
           end
 
           context "uneditable field" do