Merge remote-tracking branch 'origin/2025.4' into 2026.1

Author: martineiber

src/Bundle/ApplicationLogger/Repository/LogRepository.php

@@ -198,7 +198,10 @@ private function addPaging(QueryBuilder $queryBuilder, FilterParameter $paramete
     private function addSorting(QueryBuilder $queryBuilder, SortFilter $sortFilter): void
     {
         $queryBuilder
-            ->orderBy($sortFilter->getKey(), $sortFilter->getDirection());
+            ->orderBy(
+                $this->dbResolver->get()->quoteIdentifier($sortFilter->getKey()),
+                $sortFilter->getDirection()
+            );
     }
 
     /**

src/Class/Service/LayoutService.php

@@ -126,7 +126,7 @@ private function getPreviewObject(TextLayoutPreviewParameters $parameters): ?Con
         }
 
         $this->classDefinitionRepository->getClassDefinition($parameters->getClassName());
-        $className = '\\Pimcore\\Model\\DataObject\\' . $parameters->getClassName();
+        $className = '\\Pimcore\\Model\\DataObject\\' . ucfirst($parameters->getClassName());
 
         return new $className();
     }

src/DataIndex/Grid/GridSearch.php

@@ -112,6 +112,7 @@ public function searchElementsForUser(
         GridParameter $gridParameter,
         UserInterface $user
     ): AssetSearchResult|DataObjectSearchResult|DocumentSearchResult {
+        $type = $this->getStudioElementType($type);
         /** @var AssetQueryInterface|DataObjectQueryInterface|DocumentQueryInterface $query */
         $query = $this->getSearchQuery($type, $gridParameter, $user);
 
@@ -131,6 +132,7 @@ public function searchElementIdsForUser(
         GridParameter $gridParameter,
         UserInterface $user
     ): array {
+        $type = $this->getStudioElementType($type);
         /** @var AssetQueryInterface|DataObjectQueryInterface $query */
         $query = $this->getSearchQuery($type, $gridParameter, $user);
 
@@ -147,7 +149,6 @@ private function getSearchQuery(
         UserInterface $user
     ): QueryInterface {
         $filter = $gridParameter->getFilters();
-        $type = $this->getStudioElementType($type);
         $filter = $this->setFilterPath($filter, $type, $gridParameter->getFolderId(), $user);
 
         $query = $this->queryFactory->create($type);

src/MappedParameter/Filter/SortFilter.php

@@ -14,6 +14,7 @@
 namespace Pimcore\Bundle\StudioBackendBundle\MappedParameter\Filter;
 
 use Pimcore\Bundle\GenericDataIndexBundle\Enum\Search\SortDirection;
+use function strtolower;
 
 /**
  * @internal
@@ -43,6 +44,9 @@ public function getKeyWithOutLocale(): string
 
     public function getDirection(): string
     {
-        return $this->direction;
+        $normalised = strtolower($this->direction);
+        $direction = SortDirection::tryFrom($normalised) ?? SortDirection::ASC;
+
+        return $direction->value;
     }
 }

src/Tag/Controller/CollectionController.php

@@ -25,6 +25,7 @@
 use Pimcore\Bundle\StudioBackendBundle\OpenApi\Attribute\Response\DefaultResponses;
 use Pimcore\Bundle\StudioBackendBundle\OpenApi\Attribute\Response\SuccessResponse;
 use Pimcore\Bundle\StudioBackendBundle\OpenApi\Config\Tags;
+use Pimcore\Bundle\StudioBackendBundle\Security\PermissionsToCheck;
 use Pimcore\Bundle\StudioBackendBundle\Tag\MappedParameter\TagsParameters;
 use Pimcore\Bundle\StudioBackendBundle\Tag\Schema\Tag;
 use Pimcore\Bundle\StudioBackendBundle\Tag\Service\TagServiceInterface;
@@ -34,7 +35,6 @@
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpKernel\Attribute\MapQueryString;
 use Symfony\Component\Routing\Attribute\Route;
-use Symfony\Component\Security\Http\Attribute\IsGranted;
 use Symfony\Component\Serializer\SerializerInterface;
 
 /**
@@ -55,7 +55,6 @@ public function __construct(
      * @throws InvalidQueryTypeException
      */
     #[Route('/tags', name: 'pimcore_studio_api_tags', methods: ['GET'])]
-    #[IsGranted(UserPermissions::TAGS_CONFIGURATION->value)]
     #[Get(
         path: self::PREFIX . '/tags',
         operationId: 'tag_get_collection',
@@ -81,6 +80,14 @@ public function __construct(
     public function getTags(
         #[MapQueryString] TagsParameters $parameters): JsonResponse
     {
+        $this->denyAccessUnlessGranted(
+            'HasOneOf',
+            new PermissionsToCheck([
+                UserPermissions::TAGS_CONFIGURATION->value,
+                UserPermissions::TAGS_SEARCH->value,
+            ])
+        );
+
         return $this->jsonResponse(['items' => $this->tagService->listTags($parameters)]);
     }
 }

src/Tag/Controller/GetController.php

@@ -20,13 +20,13 @@
 use Pimcore\Bundle\StudioBackendBundle\OpenApi\Attribute\Response\DefaultResponses;
 use Pimcore\Bundle\StudioBackendBundle\OpenApi\Attribute\Response\SuccessResponse;
 use Pimcore\Bundle\StudioBackendBundle\OpenApi\Config\Tags;
+use Pimcore\Bundle\StudioBackendBundle\Security\PermissionsToCheck;
 use Pimcore\Bundle\StudioBackendBundle\Tag\Schema\Tag;
 use Pimcore\Bundle\StudioBackendBundle\Tag\Service\TagServiceInterface;
 use Pimcore\Bundle\StudioBackendBundle\Util\Constant\HttpResponseCodes;
 use Pimcore\Bundle\StudioBackendBundle\Util\Constant\UserPermissions;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\Routing\Attribute\Route;
-use Symfony\Component\Security\Http\Attribute\IsGranted;
 use Symfony\Component\Serializer\SerializerInterface;
 
 /**
@@ -42,7 +42,6 @@ public function __construct(
     }
 
     #[Route('/tags/{id}', name: 'pimcore_studio_api_get_tag', methods: ['GET'])]
-    #[IsGranted(UserPermissions::TAGS_CONFIGURATION->value)]
     #[Get(
         path: self::PREFIX . '/tags/{id}',
         operationId: 'tag_get_by_id',
@@ -61,6 +60,14 @@ public function __construct(
     ])]
     public function getTags(int $id): JsonResponse
     {
+        $this->denyAccessUnlessGranted(
+            'HasOneOf',
+            new PermissionsToCheck([
+                UserPermissions::TAGS_CONFIGURATION->value,
+                UserPermissions::TAGS_SEARCH->value,
+            ])
+        );
+
         return $this->jsonResponse($this->tagService->getTag($id));
     }
 }

src/Translation/Repository/TranslationRepository.php

@@ -25,8 +25,11 @@
 use Pimcore\Bundle\StudioBackendBundle\Translation\Schema\UpdateTranslation;
 use Pimcore\Bundle\StudioBackendBundle\Translation\Service\TranslatorServiceInterface;
 use Pimcore\Bundle\StudioBackendBundle\Util\Constant\UserPermissions;
+use Pimcore\Config;
 use Pimcore\Model\Translation;
 use Pimcore\Model\Translation\Listing;
+use function array_unique;
+use function array_values;
 use function in_array;
 use function sprintf;
 
@@ -41,6 +44,7 @@ public function __construct(
         private SettingsProviderInterface $systemSettingsProvider,
         private Connection $db,
         private SecurityServiceInterface $securityService,
+        private Config $config,
     ) {
         $settings = $this->systemSettingsProvider->getSettings();
         $this->validLanguages = $settings['validLanguages'] ?? [];
@@ -192,10 +196,10 @@ public function getTranslationKeysWithTextFilter(
 
     public function getTranslationList(string $domain = TranslatorServiceInterface::DOMAIN): Listing
     {
+        $this->assertValidDomain($domain);
+
         $list = new Translation\Listing();
         $list->setDomain($domain);
-        $list->setOrder('asc');
-        $list->setOrderKey('translations_' . $domain . '.key', false);
 
         return $list;
     }
@@ -245,4 +249,15 @@ private function validateLocale(string $locale): void
             throw new InvalidLocaleException($locale);
         }
     }
+
+    /**
+     * @throws NotFoundException
+     */
+    private function assertValidDomain(string $domain): void
+    {
+        $allowedDomains = array_values(array_unique($this->config['translations']['domains'] ?? []));
+        if (!in_array($domain, $allowedDomains, true)) {
+            throw new NotFoundException('Translation Domain', $domain);
+        }
+    }
 }