From 1bfd36ccf59c56d076fb0d35312119b5adfd3328 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20B=C3=B6hmer?= <mail@jan-boehmer.de>
Date: Mon, 2 Feb 2026 17:04:45 +0100
Subject: [PATCH] Do not automatically give existing users the right to manage
 updates, but include that for new databases

---
 src/Entity/UserSystem/PermissionData.php        |  2 +-
 .../UserSystem/PermissionPresetsHelper.php      |  3 ++-
 .../UserSystem/PermissionSchemaUpdater.php      | 17 -----------------
 3 files changed, 3 insertions(+), 19 deletions(-)

diff --git a/src/Entity/UserSystem/PermissionData.php b/src/Entity/UserSystem/PermissionData.php
index b7d1ff8f..9ebdc9c9 100644
--- a/src/Entity/UserSystem/PermissionData.php
+++ b/src/Entity/UserSystem/PermissionData.php
@@ -43,7 +43,7 @@ final class PermissionData implements \JsonSerializable
     /**
      * The current schema version of the permission data
      */
-    public const CURRENT_SCHEMA_VERSION = 4;
+    public const CURRENT_SCHEMA_VERSION = 3;
 
     /**
      * Creates a new Permission Data Instance using the given data.
diff --git a/src/Services/UserSystem/PermissionPresetsHelper.php b/src/Services/UserSystem/PermissionPresetsHelper.php
index a3ed01b8..3d125b27 100644
--- a/src/Services/UserSystem/PermissionPresetsHelper.php
+++ b/src/Services/UserSystem/PermissionPresetsHelper.php
@@ -111,8 +111,9 @@ class PermissionPresetsHelper
 
         //Allow to manage Oauth tokens
         $this->permissionResolver->setPermission($perm_holder, 'system', 'manage_oauth_tokens', PermissionData::ALLOW);
-        //Allow to show updates
+        //Allow to show and manage updates
         $this->permissionResolver->setPermission($perm_holder, 'system', 'show_updates', PermissionData::ALLOW);
+        $this->permissionResolver->setPermission($perm_holder, 'system', 'manage_updates', PermissionData::ALLOW);
 
     }
 
diff --git a/src/Services/UserSystem/PermissionSchemaUpdater.php b/src/Services/UserSystem/PermissionSchemaUpdater.php
index b3341322..104800dc 100644
--- a/src/Services/UserSystem/PermissionSchemaUpdater.php
+++ b/src/Services/UserSystem/PermissionSchemaUpdater.php
@@ -157,21 +157,4 @@ class PermissionSchemaUpdater
             $permissions->setPermissionValue('system', 'show_updates', $new_value);
         }
     }
-
-    private function upgradeSchemaToVersion4(HasPermissionsInterface $holder): void //@phpstan-ignore-line This is called via reflection
-    {
-        $permissions = $holder->getPermissions();
-
-        //If the system.manage_updates permission is not defined yet, set it to true if the user can show updates AND has server_infos permission
-        //This ensures that admins who can view updates and server info can also manage (execute) updates
-        if (!$permissions->isPermissionSet('system', 'manage_updates')) {
-
-            $new_value = TrinaryLogicHelper::and(
-                $permissions->getPermissionValue('system', 'show_updates'),
-                $permissions->getPermissionValue('system', 'server_infos')
-            );
-
-            $permissions->setPermissionValue('system', 'manage_updates', $new_value);
-        }
-    }
 }