From 2137eecddf4af0a071380ad22cce42377898b0ff Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20B=C3=B6hmer?= <mail@jan-boehmer.de>
Date: Wed, 4 Mar 2026 23:05:21 +0100
Subject: [PATCH] Check for good measure again, that a user is able to edit an
 entity in an admin form

issue #1283
---
 src/Controller/AdminPages/BaseAdminController.php | 2 ++
 src/Form/AdminPages/BaseEntityAdminForm.php       | 1 +
 2 files changed, 3 insertions(+)

diff --git a/src/Controller/AdminPages/BaseAdminController.php b/src/Controller/AdminPages/BaseAdminController.php
index 7c109751..c737e291 100644
--- a/src/Controller/AdminPages/BaseAdminController.php
+++ b/src/Controller/AdminPages/BaseAdminController.php
@@ -195,6 +195,8 @@ abstract class BaseAdminController extends AbstractController
 
                 $this->commentHelper->setMessage($form['log_comment']->getData());
 
+                //In principle, the form should be disabled, if the edit permission is not granted, but for good measure, we also check it here, before saving changes.
+                $this->denyAccessUnlessGranted('edit', $entity);
                 $em->persist($entity);
                 $em->flush();
                 $this->addFlash('success', 'entity.edit_flash');
diff --git a/src/Form/AdminPages/BaseEntityAdminForm.php b/src/Form/AdminPages/BaseEntityAdminForm.php
index f4bf37f8..bf005882 100644
--- a/src/Form/AdminPages/BaseEntityAdminForm.php
+++ b/src/Form/AdminPages/BaseEntityAdminForm.php
@@ -121,6 +121,7 @@ class BaseEntityAdminForm extends AbstractType
                 'label' => 'entity.edit.alternative_names.label',
                 'help' => 'entity.edit.alternative_names.help',
                 'empty_data' => null,
+                'disabled' => !$this->security->isGranted($is_new ? 'create' : 'edit', $entity),
                 'attr' => [
                     'class' => 'tagsinput',
                     'data-controller' => 'elements--tagsinput',