Pull Request for Issue #11541 .

Summary of Changes

AbstracMenu and SiteMenu classes use a memoized copy of the current user. Under some circumstances, this causes incorrect menu items to be displayed when user is logged in through the Remember-me feature (registered-access level items not shown) as the user has not yet been updated to logged-in state.

Circumstances are that Application::getMenu() is called from a plugin early on, typically from a system plugin constructor or onAfterInitialise.

getMenu() may not be called directly but for instance calling Application::getRouter() to add parse or build rules triggers the problem because the router itself grabs the menu in its contructor.

The language filter plugin does that, any SEF extension will also attach routing rules as well as many other extensions.

For 3rd party extensions, the problem will appear less frequently because it is also a requirement that the plugin in question is located before the RememberMe plugin, which is not common but will happen when user re-order plugins or when extensions want to the be the 1st plugin in the list for instance.

Comments

1. The problem affects Joomla 3 and Joomla 4 the same. Testing instructions are the same. I think however the issue should be solved differently in J3 and J4. This PR is for Joomla 3 and fixes the problem simply, in the most B/C manner.

2. With Joomla 4, the same code can be used and will also solve the problem. But I think a more robust approach should be used. It would make sense the Remember me plugin is located first in the list of system plugins. It would even make more sense that logging-in through the remember me feature is embedded in the CMS app and not in a plugin. Such logging-in should happen exactly as early as if the user was logged-in through the session or else there's a risk of similar side-effects happening in other areas, where some parts of the code see the user as a guest while later on it's seen as logged-in.

3. This issue was identified in 2016 (#11541)and a fix proposed at the time but unfortunately never merged. This PR uses a slightly different method which only touches the Menu class, not the remember me plugin. I believe it's better to do it that way, especially for Joomla 3, so that no changes are needed in 3rd-party extensions providing features similar to Remember-me, or otherwise.

Testing Instructions

From a stock Joomla 3 install:

1. Disable Caching in Global configuration
2. Create a menu item GUEST with access level "guest"
3. Create a menu item REGISTERED with access level "registered"
4. Enable the Language Filter system plugin
5. Log out of admin
6. On front end, GUEST menu item should be displayed
7. Log in to the front end **make sure to tick the Remember me check box"
8. The REGISTERED menu item is shown, GUEST menu item is hidden
9. Close your browser:
   • the entire browser, not just the current tab
   • browser must NOT be set to "reload all tabs opened when it was closed".
10. Navigate to your test site URL again by pasting it in the address bar

Step 9 & 10 can be replaced by deleting some cookies, faster to test but requires knowledge of browser dev tools. See end of this description.

Actual result BEFORE applying this Pull Request

The GUEST menu item is displayed despite the user being logged in and the login module showing the user as Logged in. The REGISTERED menu item is not displayed.

Expected result AFTER applying this Pull Request

The REGISTERED menu item is displayed and the GUEST one is not shown.

Note on testing:

Rather than closing browser at each attempt, you can simulate the same behavior with the development tools:

1. Open the dev tools at Application->Cookies
2. After logging-in with Remember me checked - step 8, you'll see (at least) 3 cookies:

• joomla_remember_me_xxxx
• joomla_user_state_xxx
• session cookie that looks like "433f42e5e0d104622fd1b9c1c38b3945"

To simulate closing the browser, you can delete the joomla_user_state cookie and the session cookie. After that, just reload the page to reproduce step 10.