[#46080] - [5.4] [webservices] Create a user access level via POST
- Fixed in Code Base
- 4 Feb 2026
- Medium
- Build: 5.3-dev
- # 46080
- Diff
- alikon:patch-23
User tests: Successful: Unsuccessful:
Pull Request for Issue #45971.
Summary of Changes
fixed form level.xml
Testing Instructions
use the POST with `` endpoint /api/index.php/v1/users/levels with this payload to create a User Access Level
{
"id":"0",
"title": "aaTechnician",
"rules": "[1,2]"
}
Actual result BEFORE applying this Pull Request
HTTP 400 Bad request
{
"errors": [
{
"title": "Field required: id"
}
]
}
Expected result AFTER applying this Pull Request
HTTP 200 ok
{
"links": {
"self": "https://localhost:80/api/index.php/v1/users/levels"
},
"data": {
"type": "levels",
"id": "16",
"attributes": {
"id": 16,
"title": "aaTechnician",
"rules": [
1,
2
]
}
}
}
Link to documentations
Please select:
-
Documentation link for docs.joomla.org:
-
No documentation changes for docs.joomla.org needed
-
Pull Request link for manual.joomla.org:
-
No documentation changes for manual.joomla.org needed
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Administration com_users |
| Title |
|
||||||
| Labels |
Added:
bug
Webservices
PR-5.3-dev
|
||
| Category | Administration com_users | ⇒ | Administration com_users JavaScript Unit Tests |
| Labels |
Added:
Unit/System Tests
|
||
added some system test
This pull request has been automatically rebased to 5.4-dev.
| Title |
|
||||||
| Labels |
Removed:
PR-5.3-dev
|
||
I have tested this item ✅ successfully on 0767cb6
Before patch:
✗ FAIL users_levels_POST_PR46080_1 - POST /v1/users/levels - 400 - 66.24 ms
✗ FAIL users_levels_POST_PR46080_2 - POST /v1/users/levels - 400 - 34.47 ms
Details:
────────────────────────────────────────────────────────────────────────────────
Create a new user access level
────────────────────────────────────────────────────────────────────────────────
POST https://joomla.sviluppo.online/api/index.php/v1/users/levels
REQUEST:
ℹ Method: POST
ℹ Endpoint: /v1/users/levels
ℹ Headers:
• Authorization: Bearer c2hhMjU2OjEyNjo1MWEzYzUyZmQ4Yz...
• Content-Type: application/vnd.api+json
• Accept: application/vnd.api+json
ℹ Payload:
{
"id": "0",
"title": "API Test 1 Level 1767370915",
"rules": "[1,2]"
}
RESPONSE:
ℹ Status: 400 (Bad Request)
ℹ Duration: 66.24 ms
ℹ Headers:
• Content-Type: application/vnd.api+json; charset=utf-8
ℹ Body:
{
"errors": [
{
"title": "Field required: id"
}
]
}
✗ ✗ Test failed (HTTP 400)
✗ • Error: Field required: id
────────────────────────────────────────────────────────────────────────────────
Create a new user access level
────────────────────────────────────────────────────────────────────────────────
POST https://joomla.sviluppo.online/api/index.php/v1/users/levels
REQUEST:
ℹ Method: POST
ℹ Endpoint: /v1/users/levels
ℹ Headers:
• Authorization: Bearer c2hhMjU2OjEyNjo1MWEzYzUyZmQ4Yz...
• Content-Type: application/vnd.api+json
• Accept: application/vnd.api+json
ℹ Payload:
{
"title": "API Test 2 Level 1767370915",
"rules": "[1,2]"
}
RESPONSE:
ℹ Status: 400 (Bad Request)
ℹ Duration: 34.47 ms
ℹ Headers:
• Content-Type: application/vnd.api+json; charset=utf-8
ℹ Body:
{
"errors": [
{
"title": "Field required: id"
}
]
}
✗ ✗ Test failed (HTTP 400)
✗ • Error: Field required: id
After Patch:
✓ PASS users_levels_POST_PR46080_1 - POST /v1/users/levels - 200 - 87.35 ms
✓ PASS users_levels_POST_PR46080_2 - POST /v1/users/levels - 200 - 43.59 ms
Details:
────────────────────────────────────────────────────────────────────────────────
Create a new user access level
────────────────────────────────────────────────────────────────────────────────
POST https://joomla.sviluppo.online/api/index.php/v1/users/levels
REQUEST:
ℹ Method: POST
ℹ Endpoint: /v1/users/levels
ℹ Headers:
• Authorization: Bearer c2hhMjU2OjEyNjo1MWEzYzUyZmQ4Yz...
• Content-Type: application/vnd.api+json
• Accept: application/vnd.api+json
ℹ Payload:
{
"id": "0",
"title": "API Test 1 Level 1767371075",
"rules": "[1,2]"
}
RESPONSE:
ℹ Status: 200 (OK)
ℹ Duration: 87.35 ms
ℹ Headers:
• Content-Type: application/vnd.api+json; charset=utf-8
ℹ Body:
{
"links": {
"self": "https://joomla.sviluppo.online/api/index.php/v1/users/levels"
},
"data": {
"type": "levels",
"id": "7",
"attributes": {
"id": 7,
"title": "API Test 1 Level 1767371075",
"rules": [
1,
2
]
}
}
}
✓ ✓ Test passed
ℹ Response contains: 3 item(s)
────────────────────────────────────────────────────────────────────────────────
Create a new user access level
────────────────────────────────────────────────────────────────────────────────
POST https://joomla.sviluppo.online/api/index.php/v1/users/levels
REQUEST:
ℹ Method: POST
ℹ Endpoint: /v1/users/levels
ℹ Headers:
• Authorization: Bearer c2hhMjU2OjEyNjo1MWEzYzUyZmQ4Yz...
• Content-Type: application/vnd.api+json
• Accept: application/vnd.api+json
ℹ Payload:
{
"title": "API Test 2 Level 1767371075",
"rules": "[1,2]"
}
RESPONSE:
ℹ Status: 200 (OK)
ℹ Duration: 43.59 ms
ℹ Headers:
• Content-Type: application/vnd.api+json; charset=utf-8
ℹ Body:
{
"links": {
"self": "https://joomla.sviluppo.online/api/index.php/v1/users/levels"
},
"data": {
"type": "levels",
"id": "8",
"attributes": {
"id": 8,
"title": "API Test 2 Level 1767371075",
"rules": [
1,
2
]
}
}
}
✓ ✓ Test passed
ℹ Response contains: 3 item(s)
```<hr /><sub>This comment was created with the <a href="https://github.com/joomla/jissues">J!Tracker Application</a> at <a href="https://issues.joomla.org/tracker/joomla-cms/46080">issues.joomla.org/tracker/joomla-cms/46080</a>.</sub>
I have tested this item ✅ successfully on 0767cb6
I have successfully tested this PR. @alikon Thanks!
I met the BEFORE condition and
In case this matters, after applying the PR, I got as expected:
{
"links": {
"self": "https://www.domain.com/_j540/api/index.php/v1/users/levels"
},
"data": {
"type": "levels",
"id": "8",
"attributes": {
"id": 8,
"title": "aaTechnician",
"rules": [
1,
2
]
}
}
}
and then, I wondered what would happen if I re-tried the POST command once it was created?
and I received this 400 Bad Request:
{
"errors": [
{
"title": "Save failed with the following error: Level with the name "aaTechnician" already exists.",
"code": 400
}
]
}
I am mentioning it because I figured it might help, if that is expected and in that form/format - than perfecto! :)
Also, after having done a POST, I did a GET and the new access level above appears so :D
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46080.
| Status | Pending | ⇒ | Ready to Commit |
RTC
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46080.
| Labels |
Added:
RTC
PR-5.4-dev
|
||
I have tested this item 🔴 unsuccessfully on e85b984
Nice work and including new System Tests, I hoped to merge this, but the error with PATCH doesn't exist before PR ...
❌ Final test before merge with JBT
- Samples calls:
curl -kH "Authorization: Bearer $TOKEN" 'https://host.docker.internal:7154/api/index.php/v1/users/levels' | jq curl -kH "Authorization: Bearer $TOKEN" -w "\nHTTP status: %{http_code}\n" -X POST 'https://host.docker.internal:7154/api/index.php/v1/users/levels' -d '{ "id": "0", "title": "Test", "rules": "[1]" }' - Seen HTTP status code 400 with "Field required: id" before PR
- Applied PR with Patch Tester
- ✅ POST to create new user level with one group is now working, returns HTTP Status 200, new id and given arguments
- All fields are found in database, inclusive
ordering(if not set0is taken)
- All fields are found in database, inclusive
- ✅ 2nd POST with same title fails with 400 - Bad Request: Save failed with the following error: Level with the name "Test" already exist
- ✅ GET
/users/levelsand/users/levels/3return the same result as before PR - ✅ GET
/users/levels/10- the new ID works ⚠️ GET/users/levels/42- non existing ID returns 500 Internal server error- Should return 404 Not Found, this error happens also before this PR
- Created #46721
- ✅ POST to create new user level with two groups is working
- ✅ New created access levels are present in administrator > Users Access Levels and groups are correct set
- ✅ DELETE for new created entry is working and returns HTTP Status 204 No Content
- The System Tests could be enhanced to use the DELETE instead the afterEach database cleanup
- OK DELETE for non-existing entry is working and returns also HTTP Status 204 No Content
- ✅ PATCH with new group IDs is working
- non-existing group IDs could be used and are ignored in the backend
- ❌ PATCH with naked ID e.g.
1instead array[1]is working, returns 200, but- administrator > Users > Access Levels crashes with stack trace
- This error is new with this PR, before the PR naked ID
1is converted to array[1], however
⚠️ POST with the PR and PATCH before the PR accept non-exisiting group IDs- Better to check the group ids?
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46080.
| Status | Ready to Commit | ⇒ | Pending |
Removed RTC
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46080.
For documentation: To create a new user access entry via POST it is not needed to set "id": "0" as the new ID will be created with the POST request.
| Labels |
Removed:
RTC
|
||
@muhme can you share the payload that you use with PATCH, and also what it is the crash
Thank you for working on this PR. I used e.g.
curl -k -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -X PATCH 'https://host.docker.internal:7154/api/index.php/v1/users/levels/1' -d '{ "rules": "1" }' | jq
This request is working before and after PR. But it stores [1] before PR and 1 after PR in the database and following administrator > Users > Access Levels crashes with stack trace. From my point of view the behavier should be the same after PR as before PR (creating array for single integer) or the request have to fail with something 400 Bad Request.
New tested: It is also possible to use a letter e.g. "X". The letter is stored in the database and furthermore ignored.
the correct way to create a PATCH payload for rules should be
{
"title": "bbTechnician",
"rules": "[1]"
}like in the GET response
{
"links": {
"self": "https://localhost:80/api/index.php/v1/users/levels/3"
},
"data": {
"type": "levels",
"id": "3",
"attributes": {
"id": 3,
"title": "Special",
"rules": [
6,
3,
8
]
}
}
}verifying the correct payload is out of scope of this PR
I have tested this item ✅ successfully on 9b97de7
I have successfully tested this issue on 5.4-dev ✅
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46080.
I've restored the previous human test results in the issue tracker as the commits which have invalidated the tests were just clean branch update and the addition of a test case for system tests.
@muhme Could you review your unsuccessful test result with respect to @alikon 's comment above? Thanks in advance.
| Status | Pending | ⇒ | Ready to Commit |
RTC
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46080.
| Status | Ready to Commit | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2026-02-04 15:25:40 |
| Closed_By | ⇒ | muhme | |
| Labels |
Added:
RTC
|
||
Thank you @alikon for your contribution. Thank you @laoneo for support. Thank you @Razzo1987, @exlemor and @rutuja123242 for testing.
@alikon Unfortunately we had to revert this PR yesterday because we were building the 5.4.3-rc1 and 6.0.3-rc1 yesterday and we had found a small issue in your PR after it was merged which we have missed before:
- The removal of the
filter="intarray"for the "rules" field in the form is not right. Clients should use the right payload instead (no double quotes around the array). - The removal of the
required="true"of the "id" field is fine. - The new system tests are of course very welcome.
We would be happy if you could redo your PR but without the removal of the filter="intarray" for the "rules" field (and with the system tests possibly adapted to that.
Sorry for the inconvenience, and thanks for your contribution, and thanks in advance for the new PR.
Would you mind to add a system test for it?