No Code Attached Yet bug Webservices
avatar muhme
muhme
4 Feb 2026

PATCH/POST users/levels doesn't check group IDs. Argument is unchecked written to database and can cause exceptions in backend afterwards. Validate that all group IDs are numeric and refer to existing groups; fail otherwise.

Steps to reproduce the issue

  1. Get Super User's API Token and set as environment variable
  2. False set by group name
    curl -k -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json"  -w "\nHTTP status: %{http_code}\n" -X PATCH 'https://localhost:7154/api/index.php/v1/users/levels/1' -d '{ "rules": [ "Public" ] }'
    
  3. Missing array
    curl -k -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json"  -w "\nHTTP status: %{http_code}\n" -X PATCH 'https://localhost:7154/api/index.php/v1/users/levels/1' -d '{ "rules": 1 }'
    
  4. Not-existing group IDs
    curl -k -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json"  -w "\nHTTP status: %{http_code}\n" -X PATCH 'https://localhost:7154/api/index.php/v1/users/levels/1' -d '{ "rules": [ 42 ] }'
    
  5. Same 1. ... 3. for POST request, e.g.
    curl -kH "Authorization: Bearer $TOKEN" -w "\nHTTP status: %{http_code}\n" -X POST 'https://localhost:7154/api/index.php/v1/users/levels' -d '{
      "title": "Test2",
      "rules": [ 4711 ]  
    }'
    

Expected result

  1. Error is returned e.g. 422 Unprocessable Entity with e.g. "Invalid group IDs"
  2. It is working, the group ID is transformed to array, as before #46080 OR Error is returned e.g. 422 Unprocessable Entity with e.g. "Array missing"
  3. Error is returned e.g. 422 Unprocessable Entity with e.g. "Invalid group IDs"
  4. Error is returned e.g. 422 Unprocessable Entity with e.g. "Invalid group IDs"

Actual result

  1. 200 OK is returned, administrator > Users > Access Levels > User Groups With Viewing Access > no group set
  2. 200 OK is returned, administrator > Users > Exception in_array(): Argument #2 ($haystack) must be of type array, int given
  3. 200 OK is returned, administrator > Users > Access Levels > User Groups With Viewing Access > no group set
  4. 200 OK is returned, administrator > Users > Access Levels > User Groups With Viewing Access > no group set

System information (as much as possible)

Tested with 5.4-dev branch.

Additional comments

Found in testing #46080. This may be a minor priority.

avatar muhme muhme - open - 4 Feb 2026
avatar joomla-cms-bot joomla-cms-bot - change - 4 Feb 2026
Labels Added: No Code Attached Yet
avatar joomla-cms-bot joomla-cms-bot - labeled - 4 Feb 2026
avatar richard67 richard67 - change - 4 Feb 2026
Labels Added: bug Webservices
avatar richard67 richard67 - labeled - 4 Feb 2026
avatar richard67 richard67 - labeled - 4 Feb 2026

Add a Comment

Login with GitHub to post a comment