Pull Request resolves #46788.

• I read the Generative AI policy and my contribution is either not created with the help of AI or is compatible with the policy and GNU/GPL 2 or later.

Summary of Changes

When a frontend user with article edit permissions opens a modal picker (+Article, Menu, or Module) from the article editor and navigates to a different pagination page, the modal fails with:

"The most recent request was denied because it had an invalid security token. Please refresh the page and try again."

Root cause: The modal templates (com_content, com_menus, com_modules) all guard every request with Session::checkToken('get') when loaded from the frontend. Pagination links are plain <a href> GET requests that bypass form submission, so the CSRF token present in the initial modal URL is never carried forward to subsequent pagination requests.

Fix: In the display() method of each affected view's HtmlView.php, when rendering the modal layout from the frontend (isClient('site')), the CSRF token is added to the pagination object's additional URL params via setAdditionalUrlParam(). This causes the token to be appended to all pagination links (first, previous, numbered pages, next, last) through the existing Pagination::_buildDataObject() mechanism, with no changes required to the Pagination class itself.

Files changed:

• administrator/components/com_content/src/View/Articles/HtmlView.php
• administrator/components/com_menus/src/View/Items/HtmlView.php
• administrator/components/com_modules/src/View/Modules/HtmlView.php
• administrator/components/com_contact/src/View/Contacts/HtmlView.php

Testing Instructions

Prerequisites

• Joomla 5.4+ installation
• Every time you will open a modal, set the number of elements per page (top right) to 5 (default is 20)
  to reduce the number of sample data needed to test. (You don't need this if you already have many sample/real data)
• Sample data installed (at least 6+ articles for pagination)
• Front-end user with article edit permissions (e.g., publisher)

1. Create a test user:

   • Go to Users → Add New User
   • Username: publisher user, Password: write something you will remember
   • Assigned User Groub: publisher

2. Create test data:

   • Have/Create at least 6 articles (to ensure pagination appears with minimum number of elements 5)

Test Case 1: Front-end Article Modal

1. Navigate to the frontend
2. Log in as publisher user
3. Edit an article
4. In the editor toolbar, click CMS Content dropdown → select Article
5. Scroll to bottom of modal → click page 2 (or Next button)
   Expected Result: Page 2 loads successfully with articles displayed
   Actual Result:

"The most recent request was denied because it had an invalid security token. Please refresh the page and try again."

Test Case 2: Module Modal

1. Edit an article
2. In the editor toolbar, click CMS Content dropdown → select Module
3. Wait for modal to load
4. Navigate through multiple pages
   Expected Result: All pages load without token errors
   Actual Result:

"The most recent request was denied because it had an invalid security token. Please refresh the page and try again."

Test Case 3, 4: Do the same for Menus and Contacts

Actual result BEFORE applying this Pull Request

The modal goes blank and displays the error:

"The most recent request was denied because it had an invalid security token. Please refresh the page and try again."

Expected result AFTER applying this Pull Request

The modal correctly loads the next page of items with no error.

Link to documentations

Please select:

• Documentation link for guide.joomla.org:
• No documentation changes for guide.joomla.org needed
• Pull Request link for manual.joomla.org:
• No documentation changes for manual.joomla.org needed