Potential privilege escalation in getUser function

[jhvh1]

public function getUser($input, $fetchOptions = array())

Assume there is a privileged account with an Id of 1750. Next assume that an account is created with the username "1750". When getUser is called with $input = "1750", the function will return a User object associated with the privileged account with the Id of 1750 instead of the unprivileged account with a username of "1750". This happens because the value of $input passes the test for 'is_numeric' and is therefore used to lookup the user by the Id, instead of by the (user)name.

[bato3]

This problem is not to solve the automatic detection of the field. Imagine the reverse situation.
Only a solution that is blocking the registration of user names consisting only of numbers.

For edits you can set custom_field_identifier to user_id or name