Fixed Update user with API doesn't work if using API bypass permissions

Affected version
2.1.8 Patch 1


Well-known member
Steps to reproduce:
  1. Log into ACP.
  2. Create Super user key with access to user:write.
  3. Try use method users/{id}/ with api_bypass_permissions=1
Received result: I got server_error_occured (see details from log entry below).
Expected result: No one error has been thrown (or another, not server_error_occured) and method call finished.

Log entry:
  • ErrorException: [E_NOTICE] Trying to get property 'is_super_admin' of non-object
  • src\XF\Api\Controller\User.php:151
  • Stack trace
    1. src\XF\Api\Controller\User.php(151): XF::handlePhpError(8, '[E_NOTICE] Tryi...', '/var/www/fo...', 151, Array)
    2. src\XF\Mvc\Dispatcher.php(350): XF\Api\Controller\User->actionPost(Object(XF\Mvc\ParameterBag))
    3. src\XF\Api\Mvc\Dispatcher.php(27): XF\Mvc\Dispatcher->dispatchClass('XF:User', 'Post', Object(XF\Api\Mvc\RouteMatch), Object(XF\Api\Controller\User), NULL)
    4. src\XF\Mvc\Dispatcher.php(113): XF\Api\Mvc\Dispatcher->dispatchFromMatch(Object(XF\Api\Mvc\RouteMatch), Object(XF\Api\Controller\User), NULL)
    5. src\XF\Mvc\Dispatcher.php(55): XF\Mvc\Dispatcher->dispatchLoop(Object(XF\Api\Mvc\RouteMatch))
    6. src\XF\App.php(2184): XF\Mvc\Dispatcher->run()
    7. src\XF.php(391): XF\App->run()
    8. index.php(16): XF::runApp('XF\\Api\\App')
    9. {main}
Last edited:


XenForo developer
Staff member
There is a bug with this code that causes that error, though as it stands, even with that bug fixed, you'd get an error.

Right now, if you are trying to edit a super admin, the user you're making the request as has to be a super admin themselves and this doesn't check bypass permissions. There's a comment that indicates this is intentional, though I'll have to think about that.

So the workaround would be to ensure that the user you're using the key as is a super admin themselves.

XF Bug Bot

XenForo bug fixer bot
Staff member
Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.1.9).

Change log:
Prevent a server error when trying to edit a super admin via a non-super admin. (Also, allow the bypass permissions option of the API request to bypass this constraint.)
There may be a delay before changes are rolled out to the XenForo Community.