From 9db94c494568f162fbca914216887eeca32527f1 Mon Sep 17 00:00:00 2001
From: Tim Fischbach <tfischbach@codevise.de>
Date: Tue, 10 Mar 2026 09:31:38 +0100
Subject: [PATCH] Persist selected folder when creating entries

folder_id was only included in permitted params for the
update action. It is now also permitted during create.
A separate configure_folder_for authorization check is
not needed since only publishers can create entries and
configure_folder_on requires the same role. Cross-account
folder assignment is prevented by existing model
validation.
---
 admins/pageflow/entry.rb                      |  3 ++-
 config/locales/de.yml                         |  1 +
 .../admin/entries_controller_spec.rb          | 24 +++++++++++++++++++
 3 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/admins/pageflow/entry.rb b/admins/pageflow/entry.rb
index 46991d91f5..64f6ab1690 100644
--- a/admins/pageflow/entry.rb
+++ b/admins/pageflow/entry.rb
@@ -330,7 +330,8 @@ def permitted_attributes # rubocop:todo Metrics/AbcSize
         result += Pageflow.config_for(target).admin_form_inputs.permitted_attributes_for(:entry)
         result += permitted_account_attributes
 
-        result << :folder_id if params[:id] && authorized?(:configure_folder_for, resource)
+        result << :folder_id if create_or_new_action? ||
+                                  (params[:id] && authorized?(:configure_folder_for, resource))
 
         accounts = if params[:id]
                      resource.account
diff --git a/config/locales/de.yml b/config/locales/de.yml
index 5ac8dce4f2..2a2caebf0c 100644
--- a/config/locales/de.yml
+++ b/config/locales/de.yml
@@ -182,6 +182,7 @@ de:
         account: Konto
         author: Autor
         created_at: Erstellt
+        folder: Ordner
         credits: Credits
         structured_data_type_name: Strukturierter Datentyp
         edited_at: Geändert
diff --git a/spec/controllers/admin/entries_controller_spec.rb b/spec/controllers/admin/entries_controller_spec.rb
index 3eb6082d2e..95bb65a180 100644
--- a/spec/controllers/admin/entries_controller_spec.rb
+++ b/spec/controllers/admin/entries_controller_spec.rb
@@ -948,6 +948,30 @@ def self.name
       expect(request).to redirect_to(admin_entry_path(Pageflow::Entry.last))
     end
 
+    it 'allows account publisher to create entry in folder' do
+      user = create(:user)
+      account = create(:account, with_publisher: user)
+      folder = create(:folder, account:)
+
+      sign_in(user, scope: :user)
+
+      post :create, params: {entry: attributes_for(:entry, account:, folder_id: folder)}
+
+      expect(Pageflow::Entry.last.folder).to eq(folder)
+    end
+
+    it 'does not allow account publisher to create entry in folder of other account' do
+      user = create(:user)
+      account = create(:account, with_publisher: user)
+      folder = create(:folder, account: create(:account))
+
+      sign_in(user, scope: :user)
+
+      expect {
+        post :create, params: {entry: attributes_for(:entry, account:, folder_id: folder)}
+      }.not_to change(Pageflow::Entry, :count)
+    end
+
     it 'redirects to editor if after_entry_create is set to editor' do
       user = create(:user)
       account = create(:account, with_publisher: user)