[5.4] Allow PATCH /api/users/id without the need to specify 'groups' in the payload

[OctavianC]

Pull Request for Issue #38277 .

Summary of Changes

Adds (if not already present in the payload) the groups array to allow PATCH requests without the explicit need of supplying the user groups

Testing Instructions

See #38277 and related #46732

Actual result BEFORE applying this Pull Request

Save failed with the following error: You can't save a user account without selecting at least one user group.

Expected result AFTER applying this Pull Request

Successful request

Link to documentations

Please select:

• Documentation link for docs.joomla.org: (https://docs.joomla.org/J4.x:Joomla_Core_APIs#Update_User) - documentation might need updating to show that the groups array is now optional:

"groups": [
        "2"
    ],

• No documentation changes for docs.joomla.org needed

• Pull Request link for manual.joomla.org:

• No documentation changes for manual.joomla.org needed

[richard67]

@OctavianC Is this PR a bug fix or a new feature? I‘m asking because the initial issue was labeled as feature request.

[OctavianC]

In my honest opinion this is a bug - the PATCH request should allow the API to modify user data without the need to specify the groups in EVERY request, eg. changing an email address should suffice with a payload of {"email":"new@email.com"} instead of {"email":"new@email.com","groups":{"2":2}}

[alikon]

I have tested this item ✅ successfully on 1bb91c7

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46750.}

[exlemor]

;( PR Test Unsuccessful... CAN'T match BEFORE condition

If I try a GET https://www.domain.com/_j540/api/index.php/v1/users/265, I get the user data no problem...
if I try a PATCH https://www.domain.com/_j540/api/index.php/v1/users/265, I get this error message:

{
"errors": [
{
"title": "Field required: Email Notifications"
}
]
}

400 Bad Request...

[OctavianC]

@exlemor I can only replicate this error message when I'm trying to PATCH my own user ID. This PR does not address this issue so please test the PATCH request to another user ID (= different than the one the API key belongs to)

[richard67]

@OctavianC Not really a good idea to trigger a branch update when that is not really necessary (e.g. due to conflicts). Any new commit (including a branch update) resets the human test counter in the issue tracker, which makes it then impossible to find a PR when checking for number of tests, e.g. to see when it has 2 good tests so we can set it RTC. I have to restore @alikon 's test result in the issue tracker now.

[OctavianC]

Didn't know that.

[richard67]

Didn't know that.

@OctavianC All ok. In general it is not a problem when a PR's branch is shown as outdated to the base branch on GitHub. Only when GitHub shows conflicts it needs to do something.

[exlemor]

I have tested this item ✅ successfully on 8ffa857

Unsuccessful Test - Something seems very dangerous is happening here - overwriting of data (username, etc) in Joomla.
Late, I will write specifics tomorrow when I wake up.

OK, so:

1. IF you select your own User ID, you get:
   "errors": [
   {
   "title": "Field required: Email Notifications"
   }
   ]
   }

400 Bad Request...

as stated above

2. IF you select a user that is Super User, you get the same:
   {
   "errors": [
   {
   "title": "Field required: Email Notifications"
   }
   ]
   }

3. IF you select a user with multiple access levels - as long as 1 of them is Super User - same error as above, (seems logical in the context that for some reason Super User blocks the editing of the User)

4. IF you select a user that is ANY other level it seems, I've tested Administrator, Registered, Publisher so far:

It OVERWRITES the User's Data WITHOUT the PR completely with:

{
"links": {
"self": "https://www.domain.com/_j543/api/index.php/v1/users/15"
},
"data": {
"type": "users",
"id": "14",
"attributes": {
"groups": {
"2": 2
},
"id": 14,
"name": "name",
"username": "username",
"email": "new@example.org",
"block": 0,
"sendEmail": 0,
"registerDate": "2026-01-28 11:22:58",
"lastvisitDate": null,
"lastResetTime": null,
"resetCount": 0
}
}
}

It OVERWRITES the User's Data WITH the PR applied complete with:
{
"links": {
"self": "https://www.domain.com/_j543/api/index.php/v1/users/14"
},
"data": {
"type": "users",
"id": "15",
"attributes": {
"groups": {
"2": 2
},
"id": 15,
"name": "name",
"username": "username",
"email": "new@example.org",
"block": 0,
"sendEmail": 0,
"registerDate": "2026-01-28 11:25:15",
"lastvisitDate": null,
"lastResetTime": null,
"resetCount": 0
}
}
}

(the User ID moved up 1 because it was a new user which makes sense)

4. Thankfully, trying to PATCH a non existing user yields as expected:
   {
   "errors": [
   {
   "title": "Resource not found",
   "code": 404
   }
   ]
   }

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46750.}

[richard67]

I have tested this item ✅ successfully on 8ffa857Unsuccessful Test

@exlemor You have submitted a successful test. Can it be that you have selected the wrong result before submitting? Your texts reads to me as if that was the case.

[exlemor]

@richard67 you are correct, I meant to select Unsuccessful, I tried to Alter Test to Unsuccessful and it shows in Joomla Issue Tracker now as altered to Unsuccessful but not on Github.

I'll update the test result now with what I found.

[richard67]

@exlemor You have to use the „Test this“ button again, not the „Alter test“.

[exlemor]

I have tested this item 🔴 unsuccessfully on 8ffa857

I have tested this unsuccessfully with the explanation above:
#46750 (comment)

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46750.}

[OctavianC]

Please provide more details on what payload you are using, what is the API URL and request method and what exactly is being overridden as I'm not sure I understand what the issue is.
My fix is simply to allow PATCH without the groups array in the payload - see the discussion here #38277 (comment). The Field required: Email Notifications error I can trace as being related to the Action Log - Joomla plugin; once this plugin is disabled the correct Save failed with the following error: You can't save a user account without selecting at least one user group. error shows up for Super Users as well, but that's another issue entirely...

[OctavianC]

Ok so this is the field that's required and failing validation because it's missing from the request:

Not sure about the choice of making a 0 and 1 field required but again, this is unrelated to this PR.

[exlemor]

Please provide more details on what payload you are using, what is the API URL and request method and what exactly is being overridden as I'm not sure I understand what the issue is. My fix is simply to allow PATCH without the groups array in the payload - see the discussion here #38277 (comment). The Field required: Email Notifications error I can trace as being related to the Action Log - Joomla plugin; once this plugin is disabled the correct Save failed with the following error: You can't save a user account without selecting at least one user group. error shows up for Super Users as well, but that's another issue entirely...

Hi @OctavianC, lesson learned, I am using Postman and when you spin up postman, open up the Joomla Workspace and select the "Joomla Web Services Collection for Postman" collection and then choose: 14. Users --> 14.1 Users --> PATCH users/{user_id}, it opens up the right hand interface to Authorization to which I choose Bearer Token and I put in my Joomla API Token, it (Postman) automatically put in the Body Tab, the payload of: {"email":"new@example.org","groups":["2"],"name":"name","username":"username"}

which explains why via PATCH it overwrites the user data...

I have replaced that default text and put what is in your screenshot and it works - sorry for not having seen that.
I'll update the test to successful as I was able to confirm it.

[exlemor]

I have tested this item ✅ successfully on 8ffa857

I was able to test this successfully (once I removed the default payload and replaced it with the correct one) sorry @OctavianC and THANK YOU for getting me to find the issue.

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46750.}

[OctavianC]

Thanks for testing!

[richard67]

RTC

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46750.}

[muhme]

✅ Final test before merge with JBT

• Checked with e.g. curl -k -X GET -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" https://host.docker.internal:7154/api/index.php/v1/users/42 | jq
• Tested with e.g. curl -k -X PATCH -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" https://host.docker.internal:7154/api/index.php/v1/users/42 -d '{ "email": "new@example.com"}'
• Before PR getting 400 Bad Request "Save failed with the following error: You can't save a user account without selecting at least one user group."
• Applied PR with Patch Tester
  • ✅ Updating only email attribute is possible, HTTP status 200, other user attributes are unchanged
  • ✅ It is also possible the change one of the attributes: name, username, sendEmail or block (what was not possible before)
  • ⚠️ resetCount is ignored, PATCH returns 200, but nothing is changed; but as this is an internal counter this is ignored (better would be 400 Bad Request)
  • ✅ It is still possible the change one of the attributes e.g. email together with the groups array
• ⚠️ As already discussed (e.g. Bug Report: PATCH /api/v1/users/{id} fails with "Field required: Email Notifications" in Joomla 6.0.2 #46732) it is not possible to PATCH the same user account that owns the API token
  • 400 Bad Request with mystery error "Field required: Email Notifications"
  • Created a new issue API webservices Cannot PATCH user owning the API token #46766

[muhme]

Thank you @OctavianC for your contribution. Thank you @alikon and @exlemor for testing.