Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#47455] - [5.4] API users/levels: Validate group IDs in PATCH/POST requests

PR-5.4-dev Pending

User tests: Successful: Unsuccessful:

avatar adarshdubey03
adarshdubey03
23 Mar 2026

Pull Request resolves #46832 .

  • I read the Generative AI policy and my contribution is either not created with the help of AI or is compatible with the policy and GNU/GPL 2 or later.

Summary of Changes

Validates the rules field in the Users Access Levels API to ensure only existing user group IDs are accepted. Previously, invalid values were silently stored

Testing Instructions

follow #46832

Actual result BEFORE applying this Pull Request

Invalid values were accepted and written to the database, for eg invalid { "rules": [99999] } gets 200 ok
{
"links": {
"self": "http://localhost/joomla-cms/api/index.php/v1/users/levels/7"
},
"data": {
"type": "levels",
"id": "7",
"attributes": {
"id": 7,
"title": "API Test Level",
"rules": [
99999
]
}
}
}

Expected result AFTER applying this Pull Request

Invalid input is rejected with a validation error and only valid existing group ids are accepted, and the database remains consistent, for eg invalid invalid { "rules": [99999] } gets 400 bad request,
{
"errors": [
{
"title": "Invalid Group"
}
]
}

Link to documentations

Please select:

  • Documentation link for guide.joomla.org:

  • No documentation changes for guide.joomla.org needed

  • Pull Request link for manual.joomla.org:

  • No documentation changes for manual.joomla.org needed

avatar adarshdubey03 adarshdubey03 - open - 23 Mar 2026
avatar adarshdubey03 adarshdubey03 - change - 23 Mar 2026
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 23 Mar 2026
Category Administration com_users
avatar richard67
richard67 - comment - 23 Mar 2026

@adarshdubey03 Please check the result of the CI check actions on GitHub. Code style checks are failing, and system tests are failing, too.

avatar adarshdubey03 adarshdubey03 - change - 24 Mar 2026
Labels Added: PR-5.4-dev
avatar adarshdubey03
adarshdubey03 - comment - 24 Mar 2026

Hello @richard67 i implemented validation for the rules field following the documentation for the error handling https://manual.joomla.org/migrations/54-60/errorhandling/.

instead of deprecated $this->setError(), i implemented the documented based approach and that produces the correct API responses, but CI fails because of PHPStan
so what would be the correct way to deal with that?

avatar richard67
richard67 - comment - 24 Mar 2026

Hello @richard67 i implemented validation for the rules field following the documentation for the error handling https://manual.joomla.org/migrations/54-60/errorhandling/.

instead of deprecated $this->setError(), i implemented the documented based approach and that produces the correct API responses, but CI fails because of PHPStan so what would be the correct way to deal with that?

Maybe @Hackwar can advise if you should add exclusions to the phpstan baseline file (I could help with that if that’s the way to go) or if you should change error handling of your code.

Add a Comment

Login with GitHub to post a comment