Pull Request for Issue #11541 .

Summary of Changes

AbstracMenu and SiteMenu classes use a memoized copy of the current user. Under some circumstances, this causes incorrect menu items to be displayed when user is logged in through the Remember-be feature (registered-access level items not shown) as the user has not yet been updated to logged-in state.

Circumstances are that Application::getMenu() is called from a plugin early on, typically from a system plugin constructor or onAfterInitialise.

getMenu() may not be called directly but for instance calling Application::getRouter() to add parse or build rules triggers the problem because the router itself grabs the menu in its contructor.

The language filter plugin does that, any SEF extension will also attach routing rules as well as many other extensions.

For 3rd party extensions, the problem will appear less frequently because it is also a requirement that the plugin in question is located before the RememberMe plugin, which is not common but will happen when user re-order plugins or when extensions want to the be the 1st plugin in the list for instance.

Note that it would make sense the Remember me plugin is located first in the list of system plugins. It would even make more sense that logging-in through the remember me feature is embedded in the CMS app and not in a plugin. Such logging-in should happen exactly as early as if the user was logged-in through the session or else there's a risk of similar side-effects happening in other areas, where some parts of the code see the user as a guest while later on it's seen as logged-in.

Testing Instructions

From a stock Joomla install:

1. Disable Caching in Global configuration
2. Create a menu item GUEST with access level "guest"
3. Create a menu item REGISTERED with access level "registered"
4. Enable the Language Filter system plugin
5. Log out of admin
6. On front end, GUEST menu item should be displayed
7. Log in to the front end **make sure to tick the Remember me check box"
8. The REGISTERED menu item is shown, GUEST menu item is hidden
9. Close your browser:
   • the entire browser, not just the current tab
   • browser must NOT be set to "reload all tabs opened when it was closed".
10. Navigate to your test site URL again by pasting it in the address bar

Step 9 & 10 can be replaced by deleting some cookies, see end of this description.

Actual result BEFORE applying this Pull Request

The GUEST menu item is displayed despite the user being logged in and the login module showing the user as Logged in. The REGISTERED menu item is not displayed.

Expected result AFTER applying this Pull Request

The REGISTERED menu item is displayed and the GUEST one is not shown.

Note on testing:

Rather than closing browser at each attempt, you can simulate the same behavior with the development tools:

1. Open the dev tools at Application->Cookies
2. After logging-in with Remember me checked - step 8, you'll see (at least) 3 cookies:

• joomla_remember_me_xxxx
• joomla_user_state_xxx
• session cookie that looks like "433f42e5e0d104622fd1b9c1c38b3945"

To simulate closing the browser, you can delete the joomla_user_state cookie and the session cookie. After that, just reload the page to reproduce step 10.