Agree with Brian that an update sql would be too dangerous. But could we do something in script.php if necessary?

Possibly. I'm honestly unsure what's going to happen on upgrade. So need to test it first before trying to do fun things in the script

Even if you can technically do something I would not. We should never be changing user data and in this case the acl is user data

It depends what the result is on upgrading from Joomla 3. For example we cannot end up with is public access to the API. Baring in mind this would be an addition rather than a modification if we do it correctly.

TBC I am saying that upgrade from j3 - not a problem adding an acl to the asset
Upgrading from j4 alpha - thats a problem as its changing user data

Agree with all. Just asked to be sure.

As far as I always understood updating to J4 Beta from J4 Alpha shall not be supported, only from 3.9.x (or finally 3.10) to Beta and then later from BetaX to BetaY (with Y > X) or RC or final. @wilsonge Is that right, or was I wrong all the time? If the latter, then we have a problem because depending on which Alpha it might not work due to my changes on the existing 4.0-sql update scripts for the nulldate stuff.

No support guaranteed. Of course if we can do go between alpha's all the better. but yeah don't worry about it

Well if you plan to make another alpha before beta and freeze the update sql scripts before releasing that alpha then update from that new alpha to beta will be possible.

@richard67 you are completely missing the point. This sql change is not the same as the changes you have been writing (thanks for those). The acl settings are something that a user can change - therefore it is user data. We can not, nor should we ever, change the data on a users website. Imagine the scenario that I have already configured the acl exactly how I want it. Now I update and all those changes are replaced. I would not be happy.

@richard67 I know. My previous comments were only about updating from alpha in general. Sorry for (partly) off topic. Agree with you in all regading ACL changes. So it seems we need to add a new ACL entry for the JSON API access on update from 3.x, right?

richard it is really hard to deal with off topic comments - they just lead to confusion and wasting time

@richard67 probably correct. We need to actually test the 3.x upgrade procedure first

@wilsonge Silly question: How can these JSON API permissions be tested? Is there some docs anywhere? If so, it would be good to have a hint here for other testers.

Test instructions are in #26870

Here my results:

1. Permissions of "Manager" on new installed 4.0-dev of today

3. Permissions of "Manager" on updated 4.0-dev of today

3. Permissions of "Administrator" on new installed 4.0-dev of today

4. Permissions of "Administrator" on updated 4.0-dev of today

Super users have all permissions in both cases new install and update.

The updated 4.0-dev was made by updating a clean staging of today with update package from nightly build of last night.

Tested with MySQL 5.7.

Seems we are safe ?

Closing as it's not an issue