Skip to content

[5.4] Allow PATCH /api/users/id without the need to specify 'groups' in the payload#46750

Merged
muhme merged 6 commits intojoomla:5.4-devfrom
OctavianC:patch-7
Jan 28, 2026
Merged

[5.4] Allow PATCH /api/users/id without the need to specify 'groups' in the payload#46750
muhme merged 6 commits intojoomla:5.4-devfrom
OctavianC:patch-7

Conversation

@OctavianC
Copy link
Contributor

Pull Request for Issue #38277 .

Summary of Changes

Adds (if not already present in the payload) the groups array to allow PATCH requests without the explicit need of supplying the user groups

Testing Instructions

See #38277 and related #46732

Actual result BEFORE applying this Pull Request

Save failed with the following error: You can't save a user account without selecting at least one user group.
image

Expected result AFTER applying this Pull Request

Successful request
image

Link to documentations

Please select:

"groups": [
        "2"
    ],
  • No documentation changes for docs.joomla.org needed

  • Pull Request link for manual.joomla.org:

  • No documentation changes for manual.joomla.org needed

@richard67
Copy link
Member

@OctavianC Is this PR a bug fix or a new feature? I‘m asking because the initial issue was labeled as feature request.

@richard67 richard67 changed the title Allow PATCH /api/users/id without the need to specify 'groups' in the payload [5.4] Allow PATCH /api/users/id without the need to specify 'groups' in the payload Jan 23, 2026
@OctavianC
Copy link
Contributor Author

In my honest opinion this is a bug - the PATCH request should allow the API to modify user data without the need to specify the groups in EVERY request, eg. changing an email address should suffice with a payload of {"email":"new@email.com"} instead of {"email":"new@email.com","groups":{"2":2}}

@alikon
Copy link
Contributor

alikon commented Jan 23, 2026

I have tested this item ✅ successfully on 1bb91c7


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46750.

@richard67 richard67 added the bug label Jan 23, 2026
@exlemor
Copy link

exlemor commented Jan 24, 2026

;( PR Test Unsuccessful... CAN'T match BEFORE condition

If I try a GET https://www.domain.com/_j540/api/index.php/v1/users/265, I get the user data no problem...
if I try a PATCH https://www.domain.com/_j540/api/index.php/v1/users/265, I get this error message:

{
"errors": [
{
"title": "Field required: Email Notifications"
}
]
}

400 Bad Request...

@OctavianC
Copy link
Contributor Author

@exlemor I can only replicate this error message when I'm trying to PATCH my own user ID. This PR does not address this issue so please test the PATCH request to another user ID (= different than the one the API key belongs to)

@richard67
Copy link
Member

@OctavianC Not really a good idea to trigger a branch update when that is not really necessary (e.g. due to conflicts). Any new commit (including a branch update) resets the human test counter in the issue tracker, which makes it then impossible to find a PR when checking for number of tests, e.g. to see when it has 2 good tests so we can set it RTC. I have to restore @alikon 's test result in the issue tracker now.

@OctavianC
Copy link
Contributor Author

Didn't know that.

@richard67
Copy link
Member

Didn't know that.

@OctavianC All ok. In general it is not a problem when a PR's branch is shown as outdated to the base branch on GitHub. Only when GitHub shows conflicts it needs to do something.

@exlemor
Copy link

exlemor commented Jan 28, 2026

I have tested this item ✅ successfully on 8ffa857

Unsuccessful Test - Something seems very dangerous is happening here - overwriting of data (username, etc) in Joomla.
Late, I will write specifics tomorrow when I wake up.

OK, so:

  1. IF you select your own User ID, you get:
    "errors": [
    {
    "title": "Field required: Email Notifications"
    }
    ]
    }

400 Bad Request...

as stated above

  1. IF you select a user that is Super User, you get the same:
    {
    "errors": [
    {
    "title": "Field required: Email Notifications"
    }
    ]
    }

  2. IF you select a user with multiple access levels - as long as 1 of them is Super User - same error as above, (seems logical in the context that for some reason Super User blocks the editing of the User)

  3. IF you select a user that is ANY other level it seems, I've tested Administrator, Registered, Publisher so far:

It OVERWRITES the User's Data WITHOUT the PR completely with:

{
"links": {
"self": "https://www.domain.com/_j543/api/index.php/v1/users/15"
},
"data": {
"type": "users",
"id": "14",
"attributes": {
"groups": {
"2": 2
},
"id": 14,
"name": "name",
"username": "username",
"email": "new@example.org",
"block": 0,
"sendEmail": 0,
"registerDate": "2026-01-28 11:22:58",
"lastvisitDate": null,
"lastResetTime": null,
"resetCount": 0
}
}
}

It OVERWRITES the User's Data WITH the PR applied complete with:
{
"links": {
"self": "https://www.domain.com/_j543/api/index.php/v1/users/14"
},
"data": {
"type": "users",
"id": "15",
"attributes": {
"groups": {
"2": 2
},
"id": 15,
"name": "name",
"username": "username",
"email": "new@example.org",
"block": 0,
"sendEmail": 0,
"registerDate": "2026-01-28 11:25:15",
"lastvisitDate": null,
"lastResetTime": null,
"resetCount": 0
}
}
}

(the User ID moved up 1 because it was a new user which makes sense)

  1. Thankfully, trying to PATCH a non existing user yields as expected:
    {
    "errors": [
    {
    "title": "Resource not found",
    "code": 404
    }
    ]
    }

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46750.

@richard67
Copy link
Member

I have tested this item ✅ successfully on 8ffa857Unsuccessful Test

@exlemor You have submitted a successful test. Can it be that you have selected the wrong result before submitting? Your texts reads to me as if that was the case.

@exlemor
Copy link

exlemor commented Jan 28, 2026

@richard67 you are correct, I meant to select Unsuccessful, I tried to Alter Test to Unsuccessful and it shows in Joomla Issue Tracker now as altered to Unsuccessful but not on Github.

I'll update the test result now with what I found.

@richard67
Copy link
Member

@exlemor You have to use the „Test this“ button again, not the „Alter test“.

@exlemor
Copy link

exlemor commented Jan 28, 2026

I have tested this item 🔴 unsuccessfully on 8ffa857

I have tested this unsuccessfully with the explanation above:
#46750 (comment)


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46750.

@OctavianC
Copy link
Contributor Author

Please provide more details on what payload you are using, what is the API URL and request method and what exactly is being overridden as I'm not sure I understand what the issue is.
My fix is simply to allow PATCH without the groups array in the payload - see the discussion here #38277 (comment). The Field required: Email Notifications error I can trace as being related to the Action Log - Joomla plugin; once this plugin is disabled the correct Save failed with the following error: You can't save a user account without selecting at least one user group. error shows up for Super Users as well, but that's another issue entirely...

@OctavianC
Copy link
Contributor Author

Ok so this is the field that's required and failing validation because it's missing from the request:

image

Not sure about the choice of making a 0 and 1 field required but again, this is unrelated to this PR.

@exlemor
Copy link

exlemor commented Jan 28, 2026

Please provide more details on what payload you are using, what is the API URL and request method and what exactly is being overridden as I'm not sure I understand what the issue is. My fix is simply to allow PATCH without the groups array in the payload - see the discussion here #38277 (comment). The Field required: Email Notifications error I can trace as being related to the Action Log - Joomla plugin; once this plugin is disabled the correct Save failed with the following error: You can't save a user account without selecting at least one user group. error shows up for Super Users as well, but that's another issue entirely...

Hi @OctavianC, lesson learned, I am using Postman and when you spin up postman, open up the Joomla Workspace and select the "Joomla Web Services Collection for Postman" collection and then choose: 14. Users --> 14.1 Users --> PATCH users/{user_id}, it opens up the right hand interface to Authorization to which I choose Bearer Token and I put in my Joomla API Token, it (Postman) automatically put in the Body Tab, the payload of: {"email":"new@example.org","groups":["2"],"name":"name","username":"username"}

which explains why via PATCH it overwrites the user data...

I have replaced that default text and put what is in your screenshot and it works - sorry for not having seen that.
I'll update the test to successful as I was able to confirm it.

@exlemor
Copy link

exlemor commented Jan 28, 2026

I have tested this item ✅ successfully on 8ffa857

I was able to test this successfully (once I removed the default payload and replaced it with the correct one) sorry @OctavianC and THANK YOU for getting me to find the issue.


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46750.

@OctavianC
Copy link
Contributor Author

Thanks for testing!

@richard67
Copy link
Member

RTC


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46750.

@joomla-cms-bot joomla-cms-bot added the RTC This Pull Request is Ready To Commit label Jan 28, 2026
@muhme
Copy link
Contributor

muhme commented Jan 28, 2026

✅ Final test before merge with JBT

  • Checked with e.g. curl -k -X GET -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" https://host.docker.internal:7154/api/index.php/v1/users/42 | jq
  • Tested with e.g. curl -k -X PATCH -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" https://host.docker.internal:7154/api/index.php/v1/users/42 -d '{ "email": "new@example.com"}'
  • Before PR getting 400 Bad Request "Save failed with the following error: You can't save a user account without selecting at least one user group."
  • Applied PR with Patch Tester
    • ✅ Updating only email attribute is possible, HTTP status 200, other user attributes are unchanged
    • ✅ It is also possible the change one of the attributes: name, username, sendEmail or block (what was not possible before)
    • ⚠️ resetCount is ignored, PATCH returns 200, but nothing is changed; but as this is an internal counter this is ignored (better would be 400 Bad Request)
    • ✅ It is still possible the change one of the attributes e.g. email together with the groups array
  • ⚠️ As already discussed (e.g. Bug Report: PATCH /api/v1/users/{id} fails with "Field required: Email Notifications" in Joomla 6.0.2 #46732) it is not possible to PATCH the same user account that owns the API token

@muhme muhme merged commit 9e73b52 into joomla:5.4-dev Jan 28, 2026
69 checks passed
@joomla-cms-bot joomla-cms-bot removed the RTC This Pull Request is Ready To Commit label Jan 28, 2026
@muhme muhme added this to the Joomla! 5.4.3 milestone Jan 28, 2026
@muhme
Copy link
Contributor

muhme commented Jan 28, 2026

Thank you @OctavianC for your contribution. Thank you @alikon and @exlemor for testing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants