Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#41681] - J4 REST API - update/PATCH user alters password

No Code Attached Yet bug ?
avatar hefferbub
hefferbub
8 Sep 2023

I have written code in Salesforce that calls the Joomla 4 API and creates Joomla users if they don’t already exist, and then it updates their Joomla group memberships. If the user already exists, it just updates group memberships using a PATCH.

Steps to reproduce the issue

This can be reproduced using Postman as follows:

  1. Create user: POST to https://zzz.com/api/index.php/v1/users with body "{"email":"scotty@zzz.net","name":"Montgomery Scott","username":"scotty","password":"abcdefgh","password2":"abcdefgh","groups":{"1": 1,"2": 2,"9": 9}}"

  2. That created user 989 and I can an successfully login to scotty with PW abcdefgh.

  3. Alter group membership: PATCH to https://zzz.com/api/index.php/v1/users/989 with body "{"groups":{"14":14,"24":24,"9":9,"2":2,"1":1}}". Note that it does indeed change the groups to match this list.

  4. Try to log in again with same username and password. Fails with "Username and password do not match or you do not have an account yet."

  5. Manually change password in Joomla backend to "12345678". Now I can login again.

Expected result

PATCH API call should change only the fields specified in the body

Actual result

Password gets changed. I can't tell exactly how it gets changed since passwords cannot be displayed, but it no longer works.

System information (as much as possible)

PHP Built On Linux hosting.zzz.com 4.18.0-477.21.1.el8_8.x86_64 #1 SMP Thu Aug 10 13:51:50 EDT 2023 x86_64
Database Type mysql
Database Version 10.5.22-MariaDB
Database Collation latin1_swedish_ci
Database Connection Collation utf8mb4_general_ci
Database Connection Encryption None
Database Server Supports Connection Encryption No
PHP Version 8.1.22
Web Server Apache
WebServer to PHP Interface fpm-fcgi
Joomla! Version Joomla! 4.3.4 Stable [ Bora ] 22-August-2023 16:00 GMT

Additional comments

For some reason, Joomla changes the password even though in my PATCH call, I don’t include the password or password2 fields.

Is there a way to avoid having Joomla change or invalidate the password on a PATCH call or is this a bug?

avatar hefferbub hefferbub - open - 8 Sep 2023
avatar hefferbub hefferbub - change - 8 Sep 2023
Labels Removed: ?
avatar joomla-cms-bot joomla-cms-bot - change - 8 Sep 2023
Labels Added: No Code Attached Yet
avatar joomla-cms-bot joomla-cms-bot - labeled - 8 Sep 2023
avatar alikon alikon - change - 8 Sep 2023
Labels Added: ?
avatar alikon alikon - labeled - 8 Sep 2023
avatar alikon
alikon - comment - 8 Sep 2023

confirmed it's a bug
co-related to #38277

avatar alikon alikon - change - 8 Sep 2023
Labels Added: bug
avatar alikon alikon - labeled - 8 Sep 2023
avatar alikon alikon - close - 9 Sep 2023
avatar alikon
alikon - comment - 9 Sep 2023

please test #41688

avatar alikon alikon - change - 9 Sep 2023
Status New Closed
Closed_Date 0000-00-00 00:00:00 2023-09-09 07:53:26
Closed_By alikon
avatar hefferbub
hefferbub - comment - 9 Sep 2023

Tested patch by replacing that one source file and retesting. Fix confirmed.
Thanks for quick response Alikon!

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/41681.

avatar alikon
alikon - comment - 10 Sep 2023

@hefferbub can you please mark your test on https://issues.joomla.org/tracker/joomla-cms/41688

Add a Comment

Login with GitHub to post a comment