From d29cd29f55c4fddf71aac842d337c0eec58c140c Mon Sep 17 00:00:00 2001
From: Stefan Melmuk <509385+stefan0xC@users.noreply.github.com>
Date: Sun, 5 Apr 2026 22:39:33 +0200
Subject: [PATCH] prevent managers from creating collections (#6890)

managers without the access_all flag should not be able to create
collections. the manage all collections permission actually consists of
three separate custom permissions that have not been implemented yet for
more fine-grain access control.
---
 src/api/core/organizations.rs | 8 ++++----
 src/db/models/organization.rs | 3 ++-
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/api/core/organizations.rs b/src/api/core/organizations.rs
index 36e3e4a0..9a5079cb 100644
--- a/src/api/core/organizations.rs
+++ b/src/api/core/organizations.rs
@@ -500,6 +500,10 @@ async fn post_organization_collections(
     let data: FullCollectionData = data.into_inner();
     data.validate(&org_id, &conn).await?;
 
+    if headers.membership.atype == MembershipType::Manager && !headers.membership.access_all {
+        err!("You don't have permission to create collections")
+    }
+
     let collection = Collection::new(org_id.clone(), data.name, data.external_id);
     collection.save(&conn).await?;
 
@@ -540,10 +544,6 @@ async fn post_organization_collections(
         .await?;
     }
 
-    if headers.membership.atype == MembershipType::Manager && !headers.membership.access_all {
-        CollectionUser::save(&headers.membership.user_uuid, &collection.uuid, false, false, false, &conn).await?;
-    }
-
     Ok(Json(collection.to_json_details(&headers.membership.user_uuid, None, &conn).await))
 }
 
diff --git a/src/db/models/organization.rs b/src/db/models/organization.rs
index 9021c739..ae19b30c 100644
--- a/src/db/models/organization.rs
+++ b/src/db/models/organization.rs
@@ -514,7 +514,8 @@ impl Membership {
             "familySponsorshipValidUntil": null,
             "familySponsorshipToDelete": null,
             "accessSecretsManager": false,
-            "limitCollectionCreation": self.atype < MembershipType::Manager, // If less then a manager return true, to limit collection creations
+            // limit collection creation to managers with access_all permission to prevent issues
+            "limitCollectionCreation": self.atype < MembershipType::Manager || !self.access_all,
             "limitCollectionDeletion": true,
             "limitItemDeletion": false,
             "allowAdminAccessToAllCollectionItems": true,