From 87352ca6f733055c6ca9a8368e4ee00e9fd3f048 Mon Sep 17 00:00:00 2001
From: Sebastian Almberg <83243306+Sebbeben@users.noreply.github.com>
Date: Fri, 30 Jan 2026 21:46:27 +0100
Subject: [PATCH] Add manage_updates permission schema migration

- Bump permission schema to version 4
- Add upgradeSchemaToVersion4 for manage_updates permission
  - Grants manage_updates to users who have both show_updates and server_infos
- Fix ZIP_RELEASE installation type: set supportsAutoUpdate to false
  (ZIP update not yet implemented)
- Improve update instructions for ZIP installations
---
 src/Entity/UserSystem/PermissionData.php        |  2 +-
 .../System/InstallationTypeDetector.php         |  5 +++--
 .../UserSystem/PermissionSchemaUpdater.php      | 17 +++++++++++++++++
 3 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/src/Entity/UserSystem/PermissionData.php b/src/Entity/UserSystem/PermissionData.php
index 9ebdc9c9..b7d1ff8f 100644
--- a/src/Entity/UserSystem/PermissionData.php
+++ b/src/Entity/UserSystem/PermissionData.php
@@ -43,7 +43,7 @@ final class PermissionData implements \JsonSerializable
     /**
      * The current schema version of the permission data
      */
-    public const CURRENT_SCHEMA_VERSION = 3;
+    public const CURRENT_SCHEMA_VERSION = 4;
 
     /**
      * Creates a new Permission Data Instance using the given data.
diff --git a/src/Services/System/InstallationTypeDetector.php b/src/Services/System/InstallationTypeDetector.php
index 0cd99a04..4d04c55b 100644
--- a/src/Services/System/InstallationTypeDetector.php
+++ b/src/Services/System/InstallationTypeDetector.php
@@ -51,7 +51,8 @@ enum InstallationType: string
         return match($this) {
             self::GIT => true,
             self::DOCKER => false,
-            self::ZIP_RELEASE => true,
+            // ZIP_RELEASE auto-update not yet implemented
+            self::ZIP_RELEASE => false,
             self::UNKNOWN => false,
         };
     }
@@ -61,7 +62,7 @@ enum InstallationType: string
         return match($this) {
             self::GIT => 'Run: php bin/console partdb:update',
             self::DOCKER => 'Pull the new Docker image and recreate the container: docker-compose pull && docker-compose up -d',
-            self::ZIP_RELEASE => 'Download the new release, extract it, and run migrations.',
+            self::ZIP_RELEASE => 'Download the new release ZIP from GitHub, extract it over your installation, and run: php bin/console doctrine:migrations:migrate && php bin/console cache:clear',
             self::UNKNOWN => 'Unable to determine installation type. Please update manually.',
         };
     }
diff --git a/src/Services/UserSystem/PermissionSchemaUpdater.php b/src/Services/UserSystem/PermissionSchemaUpdater.php
index 104800dc..b3341322 100644
--- a/src/Services/UserSystem/PermissionSchemaUpdater.php
+++ b/src/Services/UserSystem/PermissionSchemaUpdater.php
@@ -157,4 +157,21 @@ class PermissionSchemaUpdater
             $permissions->setPermissionValue('system', 'show_updates', $new_value);
         }
     }
+
+    private function upgradeSchemaToVersion4(HasPermissionsInterface $holder): void //@phpstan-ignore-line This is called via reflection
+    {
+        $permissions = $holder->getPermissions();
+
+        //If the system.manage_updates permission is not defined yet, set it to true if the user can show updates AND has server_infos permission
+        //This ensures that admins who can view updates and server info can also manage (execute) updates
+        if (!$permissions->isPermissionSet('system', 'manage_updates')) {
+
+            $new_value = TrinaryLogicHelper::and(
+                $permissions->getPermissionValue('system', 'show_updates'),
+                $permissions->getPermissionValue('system', 'server_infos')
+            );
+
+            $permissions->setPermissionValue('system', 'manage_updates', $new_value);
+        }
+    }
 }