From a079829409d870cff5f7d90733793e25eefdd03a Mon Sep 17 00:00:00 2001
From: Rom1-B <rom1.biot@gmail.com>
Date: Fri, 9 Jan 2026 09:12:39 +0100
Subject: [PATCH 1/3] Fix: update tag right

---
 inc/tag.class.php | 27 +++++++++++++++------------
 1 file changed, 15 insertions(+), 12 deletions(-)

diff --git a/inc/tag.class.php b/inc/tag.class.php
index ee088aa3..0917fa7b 100644
--- a/inc/tag.class.php
+++ b/inc/tag.class.php
@@ -694,7 +694,21 @@ public static function showTagDropdown($params = [])
         echo "<div class='btn-group btn-group-sm w-100 $extra_class'>";
 
         $rand = mt_rand();
-        echo Html::hidden('_plugin_tag_tag_process_form', ['value' => '1',]);
+
+        // Returns false if at least one item in "items_ids" cannot be updated
+        $can_update_all = count(array_filter($params['items_ids'], function ($value) use ($obj) {
+            $obj->getFromDB($value);
+            return !$obj->canUpdateItem();
+        })) === 0;
+
+        $readOnly = !$tag::canUpdate()
+            || ($obj->isNewItem() && !$obj->canCreateItem())
+            || (!$obj->isNewItem() && !$obj->canUpdateItem())
+            || (!empty($params['items_ids']) && !$can_update_all);
+        
+        if (!$readOnly) {
+            echo Html::hidden('_plugin_tag_tag_process_form', ['value' => '1',]);
+        }
         echo Html::select(
             '_plugin_tag_tag_values[]',
             [],
@@ -711,17 +725,6 @@ public static function showTagDropdown($params = [])
             $token_creation = "return null;";
         }
 
-        // Returns false if at least one item in "items_ids" cannot be updated
-        $can_update_all = count(array_filter($params['items_ids'], function ($value) use ($obj) {
-            $obj->getFromDB($value);
-            return !$obj->canUpdateItem();
-        })) === 0;
-
-        $readOnly = !$tag::canUpdate()
-            || ($obj->isNewItem() && !$obj->canCreateItem())
-            || (!$obj->isNewItem() && !$obj->canUpdateItem())
-            || (!empty($params['items_ids']) && !$can_update_all);
-
         // call select2 lib for this input
         echo Html::scriptBlock("
             $(function() {

From bffc45bdc63553cfa9815fbc54dbf38f8e07f9c5 Mon Sep 17 00:00:00 2001
From: Rom1-B <rom1.biot@gmail.com>
Date: Fri, 9 Jan 2026 09:16:49 +0100
Subject: [PATCH 2/3] changelog

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 229d69e6..3d75d769 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 ### Fixed
 
 - Fix missing check for `Entity` tag visibility
+- Prevent update of tags when the user has no update rights
 
 ## [2.12.5] - 2025-09-29
 

From d17bc7f91ac6f0b4c0cd8fe8e075472f51dee9b8 Mon Sep 17 00:00:00 2001
From: Rom1-B <rom1.biot@gmail.com>
Date: Fri, 9 Jan 2026 09:23:17 +0100
Subject: [PATCH 3/3] fix

---
 inc/tag.class.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/inc/tag.class.php b/inc/tag.class.php
index 0917fa7b..1f1127f9 100644
--- a/inc/tag.class.php
+++ b/inc/tag.class.php
@@ -705,7 +705,7 @@ public static function showTagDropdown($params = [])
             || ($obj->isNewItem() && !$obj->canCreateItem())
             || (!$obj->isNewItem() && !$obj->canUpdateItem())
             || (!empty($params['items_ids']) && !$can_update_all);
-        
+
         if (!$readOnly) {
             echo Html::hidden('_plugin_tag_tag_process_form', ['value' => '1',]);
         }