From 50ba6b544954f4aa61237b919e9bee67d8958817 Mon Sep 17 00:00:00 2001
From: Duncan McClean <duncan@duncanmcclean.com>
Date: Tue, 17 Mar 2026 12:29:30 +0000
Subject: [PATCH 1/2] Authorize term creation via field actions

---
 src/Fieldtypes/Terms.php | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/Fieldtypes/Terms.php b/src/Fieldtypes/Terms.php
index c7b46cf028d..9967e56fbd5 100644
--- a/src/Fieldtypes/Terms.php
+++ b/src/Fieldtypes/Terms.php
@@ -485,9 +485,20 @@ protected function createTermFromString($string, $taxonomy)
         $slug = Str::slug($string, '-', $lang);
 
         if (! $term = Facades\Term::find("{$taxonomy}::{$slug}")) {
+            $taxonomy = Facades\Taxonomy::findByHandle($taxonomy);
+
+            // Only enforce authorization when there's no parent context,
+            // e.g. when processing fields via the field-action-modal endpoint.
+            if (! $parent) {
+                throw_if(
+                    User::current()->cant('create', [TermContract::class, $taxonomy]),
+                    new AuthorizationException
+                );
+            }
+
             $term = Facades\Term::make()
                 ->slug($slug)
-                ->taxonomy(Facades\Taxonomy::findByHandle($taxonomy))
+                ->taxonomy($taxonomy)
                 ->set('title', $string);
 
             $term->save();

From f6da93222891a86a1a5ccddb0a7365a8cc5f20b7 Mon Sep 17 00:00:00 2001
From: Jason Varga <jason@pixelfear.com>
Date: Tue, 17 Mar 2026 13:35:08 -0400
Subject: [PATCH 2/2] avoid creating term at all without permission

---
 src/Fieldtypes/Terms.php | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/Fieldtypes/Terms.php b/src/Fieldtypes/Terms.php
index 9967e56fbd5..3408672388c 100644
--- a/src/Fieldtypes/Terms.php
+++ b/src/Fieldtypes/Terms.php
@@ -220,8 +220,13 @@ public function process($data)
                     $id = $this->createTermFromString($id, $taxonomy);
                 }
 
+                if (! $id) {
+                    return null;
+                }
+
                 return explode('::', $id, 2)[1];
             })
+                ->filter()
                 ->unique()
                 ->values()
                 ->all();
@@ -487,13 +492,8 @@ protected function createTermFromString($string, $taxonomy)
         if (! $term = Facades\Term::find("{$taxonomy}::{$slug}")) {
             $taxonomy = Facades\Taxonomy::findByHandle($taxonomy);
 
-            // Only enforce authorization when there's no parent context,
-            // e.g. when processing fields via the field-action-modal endpoint.
-            if (! $parent) {
-                throw_if(
-                    User::current()->cant('create', [TermContract::class, $taxonomy]),
-                    new AuthorizationException
-                );
+            if (User::current()->cant('create', [TermContract::class, $taxonomy])) {
+                return null;
             }
 
             $term = Facades\Term::make()