This follows the facebook login bug we had: https://joindin.jira.com/browse/JOINDIN-167
That problem arose because there's a method in the user model called getUser() which attempts to guess whether the incoming data is a user id or a username. For users with numeric usernames, this makes no sense and leads to insecurity. We must remove all references to this function. Please feel free to just change one or two calls and send a pull request, it all helps!
I count 46 instances of getUser in the codebase, including some comments and the function declaration itself, try this line to find them:
grep -R 'getUser(' *
There is a method getUserByUsername() in the user model, perhaps we can also implement a getUserByID as well and then remove the getUser() method entirely, to be sure.