On my forum I have this custom field when users sign up.
But it seems like that spam bots create accounts with a value for that dropdown that is not selectable. Which almost makes it function like a honeypot to determine which account is not human made. But this could maybe also be a security issue?
i think this is because bots don’t use front end sign up that has the validators. those spam bots are using automated post requests to the sign up api endpoint. when custom fields are optional, perhaps sometimes validation isn’t strict enough in backend and still saves the payload value to the database.
i’m not sure what the core fix is, but you also likely need some more anti-spam configuration or tools. Maybe try using Discourse hCaptcha? or AI spam detection (I use AI spam bot on my public forum and it words excellent, and i have optional fields on sign up too.)
you can find all the affected user accounts on your forum by using Data explorer (assuming the custom field is user_field_1 ):
SELECT user_id, value
FROM user_custom_fields
WHERE name = 'user_field_1'
AND value NOT IN ('Bro', 'Sis', '')
if you recently changed the field from a text input to dropdown, this may also account for some those bot accounts with the incorrect field values.
you could try running a curl command to test this too - something like:
curl -i -X POST "https://FORUM_URL/users.json" \
-H "Api-Key: API_KEY" \
-H "Api-Username: system" \
-H "Content-Type: application/json" \
-d '{
"name": "api test user",
"email": "test_validation_bot@example.com",
"password": "SuperSecretPassword123!",
"username": "test_validation_bot",
"active": true,
"user_fields": {
"FIELD_ID": "SomeInvalidText"
}
}'
where FORUM_URL is your forum address, API_KEY a global api key generated from /admin/api/keys, and FIELD_ID is the id of the custom field.
edit: i just tested this with that curl command and yes, i can reproduce this issue - i was able to signup a new user with an unvalidated selection in the custom user field dropdown.