codevise · tf · Mar 10, 2026 · Mar 10, 2026
diff --git a/admins/pageflow/entry.rb b/admins/pageflow/entry.rb
@@ -101,9 +101,9 @@
                              text_attribute: :name,
                              scope: lambda do
                                AccountPolicy::Scope
                                  .new(current_user, Account)
                                  .entry_movable
                                  .order(:name)
                              end)

    searchable_select_options(name: :eligible_sites,
@@ -111,8 +111,8 @@
                              scope: lambda do |params|
                                account = Account.find(params[:account_id])
                                SitePolicy::Scope
                                  .new(current_user, Site)
                                  .sites_allowed_for(account)
                              end,
                              filter: lambda do |term, scope|
                                scope.ransack(account_name_cont: term).result
@@ -330,7 +330,8 @@
         result += Pageflow.config_for(target).admin_form_inputs.permitted_attributes_for(:entry)
         result += permitted_account_attributes
 
-        result << :folder_id if params[:id] && authorized?(:configure_folder_for, resource)
+        result << :folder_id if create_or_new_action? ||
+                                  (params[:id] && authorized?(:configure_folder_for, resource))
 
         accounts = if params[:id]
                      resource.account

diff --git a/config/locales/de.yml b/config/locales/de.yml
@@ -182,6 +182,7 @@ de:
         account: Konto
         author: Autor
         created_at: Erstellt
+        folder: Ordner
         credits: Credits
         structured_data_type_name: Strukturierter Datentyp
         edited_at: Geändert

diff --git a/spec/controllers/admin/entries_controller_spec.rb b/spec/controllers/admin/entries_controller_spec.rb
@@ -948,6 +948,30 @@ def self.name
       expect(request).to redirect_to(admin_entry_path(Pageflow::Entry.last))
     end
 
+    it 'allows account publisher to create entry in folder' do
+      user = create(:user)
+      account = create(:account, with_publisher: user)
+      folder = create(:folder, account:)
+
+      sign_in(user, scope: :user)
+
+      post :create, params: {entry: attributes_for(:entry, account:, folder_id: folder)}
+
+      expect(Pageflow::Entry.last.folder).to eq(folder)
+    end
+
+    it 'does not allow account publisher to create entry in folder of other account' do
+      user = create(:user)
+      account = create(:account, with_publisher: user)
+      folder = create(:folder, account: create(:account))
+
+      sign_in(user, scope: :user)
+
+      expect {
+        post :create, params: {entry: attributes_for(:entry, account:, folder_id: folder)}
+      }.not_to change(Pageflow::Entry, :count)
+    end
+
     it 'redirects to editor if after_entry_create is set to editor' do
       user = create(:user)
       account = create(:account, with_publisher: user)