From 121fe536d8a3010cf33ed14e76ebda95505fb45d Mon Sep 17 00:00:00 2001
From: Klaus Zanders <k.zanders@openproject.com>
Date: Tue, 9 Jun 2026 16:22:28 +0200
Subject: [PATCH] Guard the Allocate action behind the
 `allocate_user_resources` permission

---
 .../sub_header_component.html.erb              | 18 ++++++++++--------
 .../work_package_list/sub_header_component.rb  |  6 ++++++
 2 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/modules/resource_management/app/components/resource_planner_views/work_package_list/sub_header_component.html.erb b/modules/resource_management/app/components/resource_planner_views/work_package_list/sub_header_component.html.erb
index b761bcf12f2..d284efc5969 100644
--- a/modules/resource_management/app/components/resource_planner_views/work_package_list/sub_header_component.html.erb
+++ b/modules/resource_management/app/components/resource_planner_views/work_package_list/sub_header_component.html.erb
@@ -49,13 +49,15 @@ See COPYRIGHT and LICENSE files for more details.
           "aria-label": t("resource_management.work_package_list.subheader.add")
         }
       ) do |menu|
-        menu.with_item(
-          label: t("resource_management.work_package_list.subheader.allocate"),
-          tag: :a,
-          href: new_project_resource_allocation_path(@project),
-          content_arguments: { data: { controller: "async-dialog" } }
-        ) do |item|
-          item.with_leading_visual_icon(icon: :people)
+        if allowed_to_allocate?
+          menu.with_item(
+            label: t("resource_management.work_package_list.subheader.allocate"),
+            tag: :a,
+            href: new_project_resource_allocation_path(@project),
+            content_arguments: { data: { controller: "async-dialog" } }
+          ) do |item|
+            item.with_leading_visual_icon(icon: :people)
+          end
         end
 
         menu.with_item(
@@ -67,7 +69,7 @@ See COPYRIGHT and LICENSE files for more details.
           item.with_leading_visual_icon(icon: :"op-relations")
         end
       end
-    else
+    elsif allowed_to_allocate?
       subheader.with_action_button(
         leading_icon: :plus,
         scheme: :primary,
diff --git a/modules/resource_management/app/components/resource_planner_views/work_package_list/sub_header_component.rb b/modules/resource_management/app/components/resource_planner_views/work_package_list/sub_header_component.rb
index 8b68934f364..b391636a567 100644
--- a/modules/resource_management/app/components/resource_planner_views/work_package_list/sub_header_component.rb
+++ b/modules/resource_management/app/components/resource_planner_views/work_package_list/sub_header_component.rb
@@ -38,5 +38,11 @@ module ResourcePlannerViews::WorkPackageList
       @resource_planner = resource_planner
       @view = view
     end
+
+    private
+
+    def allowed_to_allocate?
+      User.current.allowed_in_project?(:allocate_user_resources, @project)
+    end
   end
 end