From cd6cfe6fc8b4fe9dd1e99835d5433d0511d251d5 Mon Sep 17 00:00:00 2001
From: markus-moser <markus.moser@pimcore.com>
Date: Wed, 29 Apr 2026 15:17:44 +0000
Subject: [PATCH] [Tag]: Allow tags_search permission on GET tag endpoints

Fixes #1777
---
 src/Tag/Controller/CollectionController.php | 11 +++++++++--
 src/Tag/Controller/GetController.php        | 11 +++++++++--
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/src/Tag/Controller/CollectionController.php b/src/Tag/Controller/CollectionController.php
index a4813f8bb..7d8f8415a 100644
--- a/src/Tag/Controller/CollectionController.php
+++ b/src/Tag/Controller/CollectionController.php
@@ -28,13 +28,13 @@
 use Pimcore\Bundle\StudioBackendBundle\Tag\MappedParameter\TagsParameters;
 use Pimcore\Bundle\StudioBackendBundle\Tag\Schema\Tag;
 use Pimcore\Bundle\StudioBackendBundle\Tag\Service\TagServiceInterface;
+use Pimcore\Bundle\StudioBackendBundle\Security\PermissionsToCheck;
 use Pimcore\Bundle\StudioBackendBundle\Util\Constant\HttpResponseCodes;
 use Pimcore\Bundle\StudioBackendBundle\Util\Constant\UserPermissions;
 use Pimcore\Bundle\StudioBackendBundle\Util\Trait\PaginatedResponseTrait;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpKernel\Attribute\MapQueryString;
 use Symfony\Component\Routing\Attribute\Route;
-use Symfony\Component\Security\Http\Attribute\IsGranted;
 use Symfony\Component\Serializer\SerializerInterface;
 
 /**
@@ -55,7 +55,6 @@ public function __construct(
      * @throws InvalidQueryTypeException
      */
     #[Route('/tags', name: 'pimcore_studio_api_tags', methods: ['GET'])]
-    #[IsGranted(UserPermissions::TAGS_CONFIGURATION->value)]
     #[Get(
         path: self::PREFIX . '/tags',
         operationId: 'tag_get_collection',
@@ -81,6 +80,14 @@ public function __construct(
     public function getTags(
         #[MapQueryString] TagsParameters $parameters): JsonResponse
     {
+        $this->denyAccessUnlessGranted(
+            'HasOneOf',
+            new PermissionsToCheck([
+                UserPermissions::TAGS_CONFIGURATION->value,
+                UserPermissions::TAGS_SEARCH->value,
+            ])
+        );
+
         return $this->jsonResponse(['items' => $this->tagService->listTags($parameters)]);
     }
 }
diff --git a/src/Tag/Controller/GetController.php b/src/Tag/Controller/GetController.php
index af74b7b47..c0591b08f 100644
--- a/src/Tag/Controller/GetController.php
+++ b/src/Tag/Controller/GetController.php
@@ -22,11 +22,11 @@
 use Pimcore\Bundle\StudioBackendBundle\OpenApi\Config\Tags;
 use Pimcore\Bundle\StudioBackendBundle\Tag\Schema\Tag;
 use Pimcore\Bundle\StudioBackendBundle\Tag\Service\TagServiceInterface;
+use Pimcore\Bundle\StudioBackendBundle\Security\PermissionsToCheck;
 use Pimcore\Bundle\StudioBackendBundle\Util\Constant\HttpResponseCodes;
 use Pimcore\Bundle\StudioBackendBundle\Util\Constant\UserPermissions;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\Routing\Attribute\Route;
-use Symfony\Component\Security\Http\Attribute\IsGranted;
 use Symfony\Component\Serializer\SerializerInterface;
 
 /**
@@ -42,7 +42,6 @@ public function __construct(
     }
 
     #[Route('/tags/{id}', name: 'pimcore_studio_api_get_tag', methods: ['GET'])]
-    #[IsGranted(UserPermissions::TAGS_CONFIGURATION->value)]
     #[Get(
         path: self::PREFIX . '/tags/{id}',
         operationId: 'tag_get_by_id',
@@ -61,6 +60,14 @@ public function __construct(
     ])]
     public function getTags(int $id): JsonResponse
     {
+        $this->denyAccessUnlessGranted(
+            'HasOneOf',
+            new PermissionsToCheck([
+                UserPermissions::TAGS_CONFIGURATION->value,
+                UserPermissions::TAGS_SEARCH->value,
+            ])
+        );
+
         return $this->jsonResponse($this->tagService->getTag($id));
     }
 }