[5.x] Prevent term creation via fieldtype without permission (#14274)

duncanmcclean · jasonvarga · web-flow · commit 92cb9e200a0d · 2026-03-17T13:52:09.000-04:00
Co-authored-by: Jason Varga &lt;jason@pixelfear.com&gt;
diff --git a/src/Fieldtypes/Terms.php b/src/Fieldtypes/Terms.php
@@ -220,8 +220,13 @@ public function process($data)
                     $id = $this->createTermFromString($id, $taxonomy);
                 }
 
+                if (! $id) {
+                    return null;
+                }
+
                 return explode('::', $id, 2)[1];
             })
+                ->filter()
                 ->unique()
                 ->values()
                 ->all();
@@ -485,9 +490,15 @@ protected function createTermFromString($string, $taxonomy)
         $slug = Str::slug($string, '-', $lang);
 
         if (! $term = Facades\Term::find("{$taxonomy}::{$slug}")) {
+            $taxonomy = Facades\Taxonomy::findByHandle($taxonomy);
+
+            if (User::current()->cant('create', [TermContract::class, $taxonomy])) {
+                return null;
+            }
+
             $term = Facades\Term::make()
                 ->slug($slug)
-                ->taxonomy(Facades\Taxonomy::findByHandle($taxonomy))
+                ->taxonomy($taxonomy)
                 ->set('title', $string);
 
             $term->save();
