From c3557734cd24879da27ae4d0479ab6485c68f657 Mon Sep 17 00:00:00 2001
From: Eric Schubert <e.schubert@openproject.com>
Date: Mon, 4 May 2026 14:52:52 +0200
Subject: [PATCH] [#73440] fix permission checks

- move actions to correct controller name
- fix unit test
---
 app/controllers/wiki_controller.rb            | 19 +++++++++----------
 config/initializers/permissions.rb            |  3 ++-
 .../app/services/wikis/adapters/registry.rb   |  8 ++++----
 .../wiki_pages/shared_contract_examples.rb    |  4 ++--
 spec/controllers/wiki_controller_spec.rb      | 12 ++++++------
 5 files changed, 23 insertions(+), 23 deletions(-)

diff --git a/app/controllers/wiki_controller.rb b/app/controllers/wiki_controller.rb
index a4904ed5021..60357aac877 100644
--- a/app/controllers/wiki_controller.rb
+++ b/app/controllers/wiki_controller.rb
@@ -222,7 +222,7 @@ class WikiController < ApplicationController
   def wiki_root_menu_items
     MenuItems::WikiMenuItem
       .main_items(@wiki.id)
-      .map { OpenStruct.new name: it.name, caption: it.title, item: it }
+      .map { { name: it.name, caption: it.title, item: it } }
   end
 
   def edit_parent_page
@@ -252,12 +252,11 @@ class WikiController < ApplicationController
   # show page history
   def history
     # don't load text
-    @versions = @page
-                .journals
-                .select(:id, :user_id, :notes, :created_at, :version)
-                .order(Arel.sql("version DESC"))
-                .page(page_param)
-                .per_page(per_page_param)
+    @versions = @page.journals
+                     .select(:id, :user_id, :notes, :created_at, :version)
+                     .order(Arel.sql("version DESC"))
+                     .page(page_param)
+                     .per_page(per_page_param)
 
     render layout: !request.xhr?
   end
@@ -406,9 +405,9 @@ class WikiController < ApplicationController
     # Using the empty contract here as we use the method to instantiate the model, not to save it (new and new_child action).
     # Errors are expected here as the user has not yet entered any data.
     @page = WikiPages::SetAttributesService
-            .new(model: WikiPage.new, user: current_user, contract_class: EmptyContract)
-            .call(wiki: @wiki, title: wiki_page_title.presence, parent_id: flash[:_related_wiki_page_id])
-            .result
+              .new(model: WikiPage.new, user: current_user, contract_class: EmptyContract)
+              .call(wiki: @wiki, title: wiki_page_title.presence, parent_id: flash[:_related_wiki_page_id])
+              .result
   end
 
   # Returns true if the current user is allowed to edit the page, otherwise false
diff --git a/config/initializers/permissions.rb b/config/initializers/permissions.rb
index 6a74f928424..708d57fb9ab 100644
--- a/config/initializers/permissions.rb
+++ b/config/initializers/permissions.rb
@@ -554,7 +554,8 @@ Rails.application.reloader.to_prepare do
 
       wiki.permission :manage_wiki,
                       {
-                        wikis: %i[edit destroy protect edit_parent_page update_parent_page],
+                        wiki: %i[destroy protect edit_parent_page update_parent_page],
+                        wikis: %i[edit destroy],
                         wiki_menu_items: %i[edit update select_main_menu_item replace_main_menu_item]
                       },
                       dependencies: :edit_wiki_pages,
diff --git a/modules/wikis/app/services/wikis/adapters/registry.rb b/modules/wikis/app/services/wikis/adapters/registry.rb
index df57ef01321..93cee8f5da6 100644
--- a/modules/wikis/app/services/wikis/adapters/registry.rb
+++ b/modules/wikis/app/services/wikis/adapters/registry.rb
@@ -74,10 +74,10 @@ module Wikis
             UnknownProvider.new(provider)
           in [provider, "contracts", model]
             MissingContract.new("No #{model} contract defined for provider: #{provider.camelize}")
-          in [provider, "commands" | "queries" => type, operation]
-            OperationNotSupported.new(
-              "#{type.singularize.capitalize} #{operation} not supported by provider: #{provider.camelize}"
-            )
+          # in [provider, "commands" | "queries" => type, operation]
+          #   OperationNotSupported.new(
+          #     "#{type.singularize.capitalize} #{operation} not supported by provider: #{provider.camelize}"
+          #   )
           end
         end
       end
diff --git a/spec/contracts/wiki_pages/shared_contract_examples.rb b/spec/contracts/wiki_pages/shared_contract_examples.rb
index affb80bd71f..f05163beb6c 100644
--- a/spec/contracts/wiki_pages/shared_contract_examples.rb
+++ b/spec/contracts/wiki_pages/shared_contract_examples.rb
@@ -138,8 +138,8 @@ RSpec.shared_examples_for "wiki page contract" do
       end
     end
 
-    context "if the page is protected and the user has permission to protect pages" do
-      let(:permissions) { %i[view_wiki_pages edit_wiki_pages protect_wiki_pages] }
+    context "if the page is protected and the user has permission to manage the wiki" do
+      let(:permissions) { %i[view_wiki_pages edit_wiki_pages manage_wiki] }
       let(:page_protected) { true }
 
       it_behaves_like "is valid"
diff --git a/spec/controllers/wiki_controller_spec.rb b/spec/controllers/wiki_controller_spec.rb
index 73aff46ea55..2d6fa28ef75 100644
--- a/spec/controllers/wiki_controller_spec.rb
+++ b/spec/controllers/wiki_controller_spec.rb
@@ -292,7 +292,7 @@ RSpec.describe WikiController do
         let(:permissions) do
           existing_page.update_column(:protected, true)
 
-          %i[view_wiki_pages edit_wiki_pages protect_wiki_pages]
+          %i[view_wiki_pages edit_wiki_pages manage_wiki]
         end
 
         it "is sucessful" do
@@ -590,7 +590,7 @@ RSpec.describe WikiController do
       shared_let(:parent_page) { create(:wiki_page, wiki:) }
       shared_let(:child_page) { create(:wiki_page, wiki:, parent: parent_page) }
 
-      let(:permissions) { %i[view_wiki_pages rename_wiki_pages edit_wiki_pages] }
+      let(:permissions) { %i[view_wiki_pages edit_wiki_pages] }
 
       let(:params) do
         { project_id: project, id: existing_page.title }
@@ -822,7 +822,7 @@ RSpec.describe WikiController do
     end
 
     describe "export" do
-      let(:permissions) { %i[view_wiki_pages export_wiki_pages] }
+      let(:permissions) { %i[view_wiki_pages] }
 
       current_user { create(:user, member_with_permissions: { project => permissions }) }
 
@@ -846,7 +846,7 @@ RSpec.describe WikiController do
       end
 
       context "for an unauthorized user" do
-        let(:permissions) { %i[view_wiki_pages] }
+        let(:permissions) { [] }
 
         it "prevents access" do
           expect(response)
@@ -856,7 +856,7 @@ RSpec.describe WikiController do
     end
 
     describe "protect" do
-      let(:permissions) { %i[view_wiki_pages protect_wiki_pages] }
+      let(:permissions) { %i[view_wiki_pages manage_wiki] }
 
       let(:params) do
         { project_id: project, id: existing_page.title, protected: "1" }
@@ -891,7 +891,7 @@ RSpec.describe WikiController do
         let(:permissions) do
           existing_page.update_column :protected, true
 
-          %i[view_wiki_pages protect_wiki_pages]
+          %i[view_wiki_pages manage_wiki]
         end
 
         let(:params) do