From 9a8aefc46f3d4640a158deacedb0e8924d40d115 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Joachim=20R=C3=BCtter?= <me@mynetx.net>
Date: Fri, 26 Jun 2026 19:46:07 +0000
Subject: [PATCH] Authorize role/group fieldtypes with the assign permission
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The UserRoles and UserGroups fieldtypes sit on the user form, where the
relevant capability is assigning a role/group to a user. They were gated
on "edit roles" / "edit user groups" — the permissions for editing the
role/group definitions themselves — so a non-super user who only had
"assign roles" got an empty select and couldn't pick a role.

Gate them on "assign roles" / "assign user groups" instead, matching how
the user form, controller, and bulk actions already authorize this.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
---
 src/Fieldtypes/UserGroups.php       |  4 +--
 src/Fieldtypes/UserRoles.php        |  4 +--
 tests/Fieldtypes/UserGroupsTest.php | 53 +++++++++++++++++++++++++++++
 tests/Fieldtypes/UserRolesTest.php  | 50 +++++++++++++++++++++++++++
 4 files changed, 107 insertions(+), 4 deletions(-)
 create mode 100644 tests/Fieldtypes/UserGroupsTest.php
 create mode 100644 tests/Fieldtypes/UserRolesTest.php

diff --git a/src/Fieldtypes/UserGroups.php b/src/Fieldtypes/UserGroups.php
index 52378b232e4..5d31cd631f7 100644
--- a/src/Fieldtypes/UserGroups.php
+++ b/src/Fieldtypes/UserGroups.php
@@ -18,7 +18,7 @@ class UserGroups extends Relationship
 
     protected function authorizeItemData($id): bool
     {
-        return User::current()->can('edit user groups');
+        return User::current()->can('assign user groups');
     }
 
     protected function toItemArray($id, $site = null)
@@ -35,7 +35,7 @@ protected function toItemArray($id, $site = null)
 
     public function getIndexItems($request)
     {
-        if (! User::current()->can('edit user groups')) {
+        if (! User::current()->can('assign user groups')) {
             return collect();
         }
 
diff --git a/src/Fieldtypes/UserRoles.php b/src/Fieldtypes/UserRoles.php
index 8b355c2f880..c7e8c88bf8f 100644
--- a/src/Fieldtypes/UserRoles.php
+++ b/src/Fieldtypes/UserRoles.php
@@ -18,7 +18,7 @@ class UserRoles extends Relationship
 
     protected function authorizeItemData($id): bool
     {
-        return User::current()->can('edit roles');
+        return User::current()->can('assign roles');
     }
 
     protected function toItemArray($id, $site = null)
@@ -47,7 +47,7 @@ public function preProcessIndex($data)
 
     public function getIndexItems($request)
     {
-        if (! User::current()->can('edit roles')) {
+        if (! User::current()->can('assign roles')) {
             return collect();
         }
 
diff --git a/tests/Fieldtypes/UserGroupsTest.php b/tests/Fieldtypes/UserGroupsTest.php
new file mode 100644
index 00000000000..ea4eb20405c
--- /dev/null
+++ b/tests/Fieldtypes/UserGroupsTest.php
@@ -0,0 +1,53 @@
+<?php
+
+namespace Tests\Fieldtypes;
+
+use Illuminate\Http\Request;
+use PHPUnit\Framework\Attributes\Test;
+use Statamic\Facades\User;
+use Statamic\Fields\Field;
+use Statamic\Fieldtypes\UserGroups;
+use Tests\FakesRoles;
+use Tests\FakesUserGroups;
+use Tests\PreventSavingStacheItemsToDisk;
+use Tests\TestCase;
+
+class UserGroupsTest extends TestCase
+{
+    use FakesRoles;
+    use FakesUserGroups;
+    use PreventSavingStacheItemsToDisk;
+
+    #[Test]
+    public function it_returns_empty_index_items_without_assign_user_groups_permission()
+    {
+        $this->actingAs($this->cpUserWithPermissions(['access cp']));
+
+        $items = $this->fieldtype()->getIndexItems(new Request);
+
+        $this->assertTrue($items->isEmpty());
+    }
+
+    #[Test]
+    public function it_returns_groups_in_index_items_with_assign_user_groups_permission()
+    {
+        $this->setTestUserGroups(['editors' => []]);
+        $this->actingAs($this->cpUserWithPermissions(['access cp', 'assign user groups']));
+
+        $items = $this->fieldtype()->getIndexItems(new Request);
+
+        $this->assertContains('editors', $items->pluck('id'));
+    }
+
+    private function fieldtype()
+    {
+        return (new UserGroups)->setField(new Field('test', ['type' => 'user_groups']));
+    }
+
+    private function cpUserWithPermissions(array $permissions)
+    {
+        $this->setTestRoles(['test' => $permissions]);
+
+        return tap(User::make()->id(uniqid())->assignRole('test'))->save();
+    }
+}
diff --git a/tests/Fieldtypes/UserRolesTest.php b/tests/Fieldtypes/UserRolesTest.php
new file mode 100644
index 00000000000..d3afd330d95
--- /dev/null
+++ b/tests/Fieldtypes/UserRolesTest.php
@@ -0,0 +1,50 @@
+<?php
+
+namespace Tests\Fieldtypes;
+
+use Illuminate\Http\Request;
+use PHPUnit\Framework\Attributes\Test;
+use Statamic\Facades\User;
+use Statamic\Fields\Field;
+use Statamic\Fieldtypes\UserRoles;
+use Tests\FakesRoles;
+use Tests\PreventSavingStacheItemsToDisk;
+use Tests\TestCase;
+
+class UserRolesTest extends TestCase
+{
+    use FakesRoles;
+    use PreventSavingStacheItemsToDisk;
+
+    #[Test]
+    public function it_returns_empty_index_items_without_assign_roles_permission()
+    {
+        $this->actingAs($this->cpUserWithPermissions(['access cp']));
+
+        $items = $this->fieldtype()->getIndexItems(new Request);
+
+        $this->assertTrue($items->isEmpty());
+    }
+
+    #[Test]
+    public function it_returns_roles_in_index_items_with_assign_roles_permission()
+    {
+        $this->actingAs($this->cpUserWithPermissions(['access cp', 'assign roles']));
+
+        $items = $this->fieldtype()->getIndexItems(new Request);
+
+        $this->assertContains('editor', $items->pluck('id'));
+    }
+
+    private function fieldtype()
+    {
+        return (new UserRoles)->setField(new Field('test', ['type' => 'user_roles']));
+    }
+
+    private function cpUserWithPermissions(array $permissions)
+    {
+        $this->setTestRoles(['test' => $permissions, 'editor' => []]);
+
+        return tap(User::make()->id(uniqid())->assignRole('test'))->save();
+    }
+}