diff --git a/CHANGELOG.md b/CHANGELOG.md index 229d69e6..3d75d769 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/). ### Fixed - Fix missing check for `Entity` tag visibility +- Prevent update of tags when the user has no update rights ## [2.12.5] - 2025-09-29 diff --git a/inc/tag.class.php b/inc/tag.class.php index ee088aa3..1f1127f9 100644 --- a/inc/tag.class.php +++ b/inc/tag.class.php @@ -694,7 +694,21 @@ public static function showTagDropdown($params = []) echo "
"; $rand = mt_rand(); - echo Html::hidden('_plugin_tag_tag_process_form', ['value' => '1',]); + + // Returns false if at least one item in "items_ids" cannot be updated + $can_update_all = count(array_filter($params['items_ids'], function ($value) use ($obj) { + $obj->getFromDB($value); + return !$obj->canUpdateItem(); + })) === 0; + + $readOnly = !$tag::canUpdate() + || ($obj->isNewItem() && !$obj->canCreateItem()) + || (!$obj->isNewItem() && !$obj->canUpdateItem()) + || (!empty($params['items_ids']) && !$can_update_all); + + if (!$readOnly) { + echo Html::hidden('_plugin_tag_tag_process_form', ['value' => '1',]); + } echo Html::select( '_plugin_tag_tag_values[]', [], @@ -711,17 +725,6 @@ public static function showTagDropdown($params = []) $token_creation = "return null;"; } - // Returns false if at least one item in "items_ids" cannot be updated - $can_update_all = count(array_filter($params['items_ids'], function ($value) use ($obj) { - $obj->getFromDB($value); - return !$obj->canUpdateItem(); - })) === 0; - - $readOnly = !$tag::canUpdate() - || ($obj->isNewItem() && !$obj->canCreateItem()) - || (!$obj->isNewItem() && !$obj->canUpdateItem()) - || (!empty($params['items_ids']) && !$can_update_all); - // call select2 lib for this input echo Html::scriptBlock(" $(function() {