[4.0] PHP Notices Undefined index(es) for token

[infograf768]

Clean install of 4.0-dev.
Login in frontend through a Login menu item,

[13-Jun-2020 08:01:29 UTC] PHP Notice:  Undefined index: enabled in /Applications/MAMP/htdocs/installmulti/joomla40/plugins/user/token/token.php on line 174
[13-Jun-2020 08:01:29 UTC] PHP Notice:  Undefined index: token in /Applications/MAMP/htdocs/installmulti/joomla40/plugins/user/token/token.php on line 175

$pluginData is empty.

[infograf768]

BTW: I see no good reason to enable the API Token plugin at install time.
It forces users to edit their profile by displaying a message to save it, even if they don't need API.
This feature should be available to experienced users only and the plugin should be disabled by default.

[particthistle]

• Tested on 4.0 Beta 2, installed on a cPanel (I've not finished setting up local J4 Beta)
• I'm not getting Undefined Index when I login from the front end with new users
• API Token Plugin only shows for Super User and Administrators by design
• I agree that the API Token is advanced functionality. It should be disabled on Joomla installation, and needs to be manually turned on (same as I've tonight found Workflows are through Content > Articles > Options > Integration)

[infograf768]

Test is with 4.0-dev. Just create a login menu item (nothing else) and log with superadmin in frontend. Notice is in the logs.
Patch is simple: it is just a matter of checking if $pluginData is not empty.

Did not make the patch because I would like @wilsonge to look at this, including the enabled status per default, and as my eclipse is not happy with some parts of the file code.

[Quy]

I can reproduce it.

@nikosdion

[nikosdion]

It's best to do checks for each property being accessed instead of assuming that everything will be available as a whole or none at all – that's not how profile fields work. I made a PR with that change.

Regarding enabling the plugin by default, I've said it in the original PR and a couple issues and PRs after that but I don't mind repeating myself. Calling it the Joomla API Token is very much a misnomer. The expectation is that 3PDs will be using this token to allow remote access to their extensions. Eventually, when the Joomla API gets stable and is generically available (instead of only to Super Users) the expectation is that 3PDs will migrate most of their com_ajax and custom remote APIs into it.

I can personally guarantee that if we do NOT enable it by default today when the time comes we won't be able to change that behaviour and our users will be frustrated at the third party developers for "breaking their sites" when the fault will be squarely on Joomla not making the token plugin enabled by default. Don't be short-sighted when it comes to features. We are not trying to reach short term goals with 4.0. It's not a 3.x release. 4.0 lays the foundation for Joomla's future. If we cock it up again this project will not have a future, period.

[alikon]

please test #29604