Skip to content

Commit 92cb9e2

Browse files
[5.x] Prevent term creation via fieldtype without permission (#14274)
Co-authored-by: Jason Varga <jason@pixelfear.com>
1 parent f243f13 commit 92cb9e2

1 file changed

Lines changed: 12 additions & 1 deletion

File tree

src/Fieldtypes/Terms.php

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -220,8 +220,13 @@ public function process($data)
220220
$id = $this->createTermFromString($id, $taxonomy);
221221
}
222222

223+
if (! $id) {
224+
return null;
225+
}
226+
223227
return explode('::', $id, 2)[1];
224228
})
229+
->filter()
225230
->unique()
226231
->values()
227232
->all();
@@ -485,9 +490,15 @@ protected function createTermFromString($string, $taxonomy)
485490
$slug = Str::slug($string, '-', $lang);
486491

487492
if (! $term = Facades\Term::find("{$taxonomy}::{$slug}")) {
493+
$taxonomy = Facades\Taxonomy::findByHandle($taxonomy);
494+
495+
if (User::current()->cant('create', [TermContract::class, $taxonomy])) {
496+
return null;
497+
}
498+
488499
$term = Facades\Term::make()
489500
->slug($slug)
490-
->taxonomy(Facades\Taxonomy::findByHandle($taxonomy))
501+
->taxonomy($taxonomy)
491502
->set('title', $string);
492503

493504
$term->save();

0 commit comments

Comments
 (0)