ACP “Send Message” throws error when no valid user is loaded

[FlowRider]

Affected version

2.3.10

Bug Report: ACP “Send Message” throws error when no valid user is loaded

XenForo version: 2.3.10
Area: Admin Control Panel -> Users -> Send Message
Error type: PHP Warning / Null pointer access

Description
When opening the “Send Message” action in the ACP without a valid user record (for example when user_id is missing, empty, or refers to a deleted user), XenForo throws a PHP warning:

ErrorException: [E_WARNING] Attempt to read property "user_id" on null
src/XF/Admin/Controller/UserController.php:1226

Stack trace excerpt:

XF\Admin\Controller\UserController->prepareMessageData()
XF\Admin\Controller\UserController->actionMessageConfirm()

Steps to reproduce
1. In the ACP, open:
/admin.php?users/message

2. Compose a message.

3. Leave the “From user” field empty.

4. Click “Send”.

5. A PHP warning is thrown because the controller attempts to access $user->user_id even though $user is null.


Expected behavior
The ACP should detect that no valid user was loaded and return a clean error message such as:

"The requested user could not be found."​

or redirect back to the user list.

Actual behavior
A PHP warning is thrown due to an unguarded property access on a null user object.

Possible cause
In UserController::prepareMessageData(), the code assumes $user is always a valid entity.
A simple null check appears to be missing, for example:

if (!$user)
{
    return $this->error(\XF::phrase('requested_user_not_found'));
}

Question / Proposed solution
Would it be possible to add a null‑check in prepareMessageData() (or earlier in the call chain) to ensure that the ACP handles missing or invalid users gracefully?

This would prevent the PHP warning and provide a more user‑friendly error message.

Screenshots