From accb6dc8d05941c90b334f26ce79b1fba8f49343 Mon Sep 17 00:00:00 2001
From: Denis Bykhov <bykhov.denis@gmail.com>
Date: Sat, 10 Jan 2026 15:22:51 +0500
Subject: [PATCH 1/2] Add type/tag permissions

Signed-off-by: Denis Bykhov <bykhov.denis@gmail.com>
---
 common/scripts/version.txt                    |   2 +-
 models/card/src/migration.ts                  | 160 ++++++++++++++++
 models/card/src/plugin.ts                     |  24 +--
 .../settings/ProperitiesSection.svelte        |  44 +----
 plugins/card-resources/src/plugin.ts          |  22 ++-
 plugins/card-resources/src/utils.ts           | 180 +++++++++++++++++-
 6 files changed, 366 insertions(+), 66 deletions(-)

diff --git a/common/scripts/version.txt b/common/scripts/version.txt
index 1786157c5c8..191a501d751 100644
--- a/common/scripts/version.txt
+++ b/common/scripts/version.txt
@@ -1 +1 @@
-"0.7.340"
+"0.7.343"
diff --git a/models/card/src/migration.ts b/models/card/src/migration.ts
index 1eb8cab1d7a..29c32a4b25c 100644
--- a/models/card/src/migration.ts
+++ b/models/card/src/migration.ts
@@ -17,6 +17,8 @@ import cardPlugin, { cardId, DOMAIN_CARD, type Card, type Role } from '@hcengine
 import core, {
   DOMAIN_MODEL,
   TxOperations,
+  type Class,
+  type ClassPermission,
   type Client,
   type Data,
   type Doc,
@@ -121,11 +123,169 @@ export const cardOperation: MigrateOperation = {
         state: 'version-for-versionable-types',
         mode: 'upgrade',
         func: addVersionForVersionableTypes
+      },
+      {
+        state: 'migrate-restricted-permissions',
+        mode: 'upgrade',
+        func: migrateRestrictedPermissions
       }
     ])
   }
 }
 
+async function migrateRestrictedPermissions (_client: MigrationUpgradeClient): Promise<void> {
+  const client = new TxOperations(_client, core.account.System)
+  const hierarchy = client.getHierarchy()
+  const desc = hierarchy.getDescendants(card.class.Card)
+  const permissions = await client.findAll(core.class.ClassPermission, { objectClass: { $in: desc } })
+  const restrictedTargets = new Set<Ref<Class<Doc>>>()
+  for (const perm of permissions) {
+    if (perm.targetClass !== undefined) {
+      restrictedTargets.add(perm.targetClass)
+    }
+  }
+
+  const targets = await client.findAll(card.class.MasterTag, { _id: { $in: [...restrictedTargets] } })
+
+  for (const masterTag of targets) {
+    const isMixin = hierarchy.isMixin(masterTag._id)
+    const objectClass = hierarchy.getBaseClass(masterTag._id)
+    if (isMixin) {
+      await client.createDoc(
+        core.class.ClassPermission,
+        core.space.Model,
+        {
+          objectClass,
+          txClass: core.class.TxMixin,
+          txMatch: {
+            mixin: masterTag._id
+          },
+          scope: 'space',
+          forbid: false,
+          label: card.string.AddTagPermission,
+          description: masterTag.label,
+          targetClass: masterTag._id
+        },
+        `${masterTag._id}_create_allowed` as Ref<ClassPermission>
+      )
+      await client.createDoc(
+        core.class.ClassPermission,
+        core.space.Model,
+        {
+          objectClass,
+          txClass: core.class.TxMixin,
+          txMatch: {
+            mixin: masterTag._id
+          },
+          scope: 'space',
+          forbid: true,
+          label: card.string.ForbidAddTagPermission,
+          description: masterTag.label,
+          targetClass: masterTag._id
+        },
+        `${masterTag._id}_create_forbidden` as Ref<ClassPermission>
+      )
+      const key = `operations.$unset.${masterTag._id}`
+      await client.createDoc(
+        core.class.ClassPermission,
+        core.space.Model,
+        {
+          objectClass,
+          txClass: core.class.TxUpdateDoc,
+          txMatch: {
+            [key]: {
+              $exists: true
+            }
+          },
+          scope: 'space',
+          forbid: false,
+          label: card.string.RemoveTag,
+          description: masterTag.label,
+          targetClass: masterTag._id
+        },
+        `${masterTag._id}_remove_allowed` as Ref<ClassPermission>
+      )
+      await client.createDoc(
+        core.class.ClassPermission,
+        core.space.Model,
+        {
+          objectClass,
+          txClass: core.class.TxUpdateDoc,
+          txMatch: {
+            [key]: { $exists: true }
+          },
+          scope: 'space',
+          forbid: true,
+          label: card.string.ForbidRemoveTag,
+          description: masterTag.label,
+          targetClass: masterTag._id
+        },
+        `${masterTag._id}_remove_forbidden` as Ref<ClassPermission>
+      )
+    } else {
+      await client.createDoc(
+        core.class.ClassPermission,
+        core.space.Model,
+        {
+          objectClass,
+          txClass: core.class.TxCreateDoc,
+          scope: 'space',
+          forbid: false,
+          label: card.string.CreateCardPermission,
+          description: masterTag.label,
+          targetClass: masterTag._id
+        },
+        `${masterTag._id}_create_allowed` as Ref<ClassPermission>
+      )
+      await client.createDoc(
+        core.class.ClassPermission,
+        core.space.Model,
+        {
+          objectClass,
+          txClass: core.class.TxCreateDoc,
+          scope: 'space',
+          forbid: true,
+          label: card.string.ForbidCreateCardPermission,
+          description: masterTag.label,
+          targetClass: masterTag._id
+        },
+        `${masterTag._id}_create_forbidden` as Ref<ClassPermission>
+      )
+      await client.createDoc(
+        core.class.ClassPermission,
+        core.space.Model,
+        {
+          objectClass,
+          txClass: core.class.TxRemoveDoc,
+          scope: 'space',
+          forbid: false,
+          label: card.string.RemoveCard,
+          description: masterTag.label,
+          targetClass: masterTag._id
+        },
+        `${masterTag._id}_remove_allowed` as Ref<ClassPermission>
+      )
+      await client.createDoc(
+        core.class.ClassPermission,
+        core.space.Model,
+        {
+          objectClass,
+          txClass: core.class.TxRemoveDoc,
+          txMatch: {
+            objectClass: masterTag._id
+          },
+          scope: 'space',
+          forbid: true,
+          label: card.string.ForbidRemoveCard,
+          description: masterTag.label,
+          targetClass: masterTag._id
+        },
+        `${masterTag._id}_remove_forbidden` as Ref<ClassPermission>
+      )
+    }
+  }
+}
+
 async function addVersionForVersionableTypes (client: MigrationUpgradeClient): Promise<void> {
   const txOp = new TxOperations(client, core.account.System)
   const versionableTypes = await client.findAll(card.class.MasterTag, {})
diff --git a/models/card/src/plugin.ts b/models/card/src/plugin.ts
index d701f4674ad..c6b90350cad 100644
--- a/models/card/src/plugin.ts
+++ b/models/card/src/plugin.ts
@@ -17,7 +17,7 @@ import { type Card, cardId } from '@hcengineering/card'
 import card from '@hcengineering/card-resources/src/plugin'
 import type { Client, Doc, Ref } from '@hcengineering/core'
 import {} from '@hcengineering/core'
-import { type IntlString, mergeIds, type Resource } from '@hcengineering/platform'
+import { mergeIds, type Resource } from '@hcengineering/platform'
 import { type TagCategory } from '@hcengineering/tags'
 import { type Location, type ResolvedLocation } from '@hcengineering/ui/src/types'
 import { type Action, type ActionCategory, type ViewAction } from '@hcengineering/view'
@@ -39,28 +39,6 @@ export default mergeIds(cardId, card, {
     PublicLink: '' as Ref<Action<Doc, any>>,
     Duplicate: '' as Ref<Action>
   },
-  string: {
-    CreateCardPersmissionDescription: '' as IntlString,
-    UpdateCardPersmissionDescription: '' as IntlString,
-    RemoveCardPersmissionDescription: '' as IntlString,
-    AddTagPersmissionDescription: '' as IntlString,
-    RemoveTagPersmissionDescription: '' as IntlString,
-    RemoveCard: '' as IntlString,
-    UpdateCard: '' as IntlString,
-    CreateCardPermission: '' as IntlString,
-    AddTagPermission: '' as IntlString,
-    RemoveTag: '' as IntlString,
-    ForbidCreateCardPersmissionDescription: '' as IntlString,
-    ForbidUpdateCardPersmissionDescription: '' as IntlString,
-    ForbidRemoveCardPersmissionDescription: '' as IntlString,
-    ForbidAddTagPersmissionDescription: '' as IntlString,
-    ForbidRemoveTagPersmissionDescription: '' as IntlString,
-    ForbidRemoveCard: '' as IntlString,
-    ForbidUpdateCard: '' as IntlString,
-    ForbidCreateCardPermission: '' as IntlString,
-    ForbidAddTagPermission: '' as IntlString,
-    ForbidRemoveTag: '' as IntlString
-  },
   category: {
     Card: '' as Ref<ActionCategory>,
     Labels: '' as Ref<TagCategory>
diff --git a/plugins/card-resources/src/components/settings/ProperitiesSection.svelte b/plugins/card-resources/src/components/settings/ProperitiesSection.svelte
index 49db15d6346..d8af6d34e99 100644
--- a/plugins/card-resources/src/components/settings/ProperitiesSection.svelte
+++ b/plugins/card-resources/src/components/settings/ProperitiesSection.svelte
@@ -14,13 +14,13 @@
 -->
 <script lang="ts">
   import { MasterTag } from '@hcengineering/card'
+  import { ClassPermission, Ref } from '@hcengineering/core'
+  import { getClient, MessageBox } from '@hcengineering/presentation'
   import { ClassAttributes } from '@hcengineering/setting-resources'
   import setting from '@hcengineering/setting-resources/src/plugin'
   import { ButtonIcon, showPopup } from '@hcengineering/ui'
   import card from '../../plugin'
-  import { getClient, MessageBox } from '@hcengineering/presentation'
-  import core, { ClassPermission, Ref } from '@hcengineering/core'
-  import view from '@hcengineering/view'
+  import { createTypePermissions } from '../../utils'
 
   export let masterTag: MasterTag
 
@@ -43,43 +43,7 @@
         message: setting.string.RestrictedAttributeWarning,
         action: async () => {
           isRestricted = true
-          const isMixin = hierarchy.isMixin(masterTag._id)
-          const objectClass = hierarchy.getBaseClass(masterTag._id)
-          const txClass = isMixin ? core.class.TxMixin : core.class.TxUpdateDoc
-          await client.createDoc(
-            core.class.ClassPermission,
-            core.space.Model,
-            {
-              objectClass,
-              txClass,
-              txMatch: {
-                [isMixin ? 'mixin' : 'objectClass']: masterTag._id
-              },
-              scope: 'space',
-              forbid: false,
-              label: view.string.AllowAttributeChanges,
-              description: masterTag.label,
-              targetClass: masterTag._id
-            },
-            getPermissionRef(false)
-          )
-          await client.createDoc(
-            core.class.ClassPermission,
-            core.space.Model,
-            {
-              objectClass,
-              txClass,
-              txMatch: {
-                [isMixin ? 'mixin' : 'objectClass']: masterTag._id
-              },
-              scope: 'space',
-              forbid: true,
-              label: view.string.ForbidAttributeChanges,
-              description: masterTag.label,
-              targetClass: masterTag._id
-            },
-            getPermissionRef(true)
-          )
+          await createTypePermissions(masterTag)
         }
       },
       'top',
diff --git a/plugins/card-resources/src/plugin.ts b/plugins/card-resources/src/plugin.ts
index c38c655038b..c2c1e36cb5c 100644
--- a/plugins/card-resources/src/plugin.ts
+++ b/plugins/card-resources/src/plugin.ts
@@ -135,6 +135,26 @@ export default mergeIds(cardId, card, {
     EnableVersioning: '' as IntlString,
     EnableVersioningConfirm: '' as IntlString,
     NewVersionConfirmation: '' as IntlString,
-    RelationCopyDescr: '' as IntlString
+    RelationCopyDescr: '' as IntlString,
+    CreateCardPersmissionDescription: '' as IntlString,
+    UpdateCardPersmissionDescription: '' as IntlString,
+    RemoveCardPersmissionDescription: '' as IntlString,
+    AddTagPersmissionDescription: '' as IntlString,
+    RemoveTagPersmissionDescription: '' as IntlString,
+    RemoveCard: '' as IntlString,
+    UpdateCard: '' as IntlString,
+    CreateCardPermission: '' as IntlString,
+    AddTagPermission: '' as IntlString,
+    RemoveTag: '' as IntlString,
+    ForbidCreateCardPersmissionDescription: '' as IntlString,
+    ForbidUpdateCardPersmissionDescription: '' as IntlString,
+    ForbidRemoveCardPersmissionDescription: '' as IntlString,
+    ForbidAddTagPersmissionDescription: '' as IntlString,
+    ForbidRemoveTagPersmissionDescription: '' as IntlString,
+    ForbidRemoveCard: '' as IntlString,
+    ForbidUpdateCard: '' as IntlString,
+    ForbidCreateCardPermission: '' as IntlString,
+    ForbidAddTagPermission: '' as IntlString,
+    ForbidRemoveTag: '' as IntlString
   }
 })
diff --git a/plugins/card-resources/src/utils.ts b/plugins/card-resources/src/utils.ts
index 20fddf279c0..fad96a95449 100644
--- a/plugins/card-resources/src/utils.ts
+++ b/plugins/card-resources/src/utils.ts
@@ -13,10 +13,11 @@
 
 import { type AccountClient, getClient as getAccountClientRaw } from '@hcengineering/account-client'
 import { Analytics } from '@hcengineering/analytics'
-import { type Card, CardEvents, cardId, type CardSpace, type MasterTag } from '@hcengineering/card'
+import { type Card, CardEvents, cardId, type CardSpace, type MasterTag, type Tag } from '@hcengineering/card'
 import core, {
   AccountRole,
   type Class,
+  type ClassPermission,
   type Client,
   type Data,
   type Doc,
@@ -97,6 +98,183 @@ export async function deleteMasterTag (tag: MasterTag | undefined, onDelete?: ()
   }
 }
 
+export async function createTypePermissions (masterTag: MasterTag | Tag): Promise<void> {
+  const client = getClient()
+  const hierarchy = client.getHierarchy()
+  const isMixin = hierarchy.isMixin(masterTag._id)
+  const objectClass = hierarchy.getBaseClass(masterTag._id)
+  const txClass = isMixin ? core.class.TxMixin : core.class.TxUpdateDoc
+
+  await client.createDoc(
+    core.class.ClassPermission,
+    core.space.Model,
+    {
+      objectClass,
+      txClass,
+      txMatch: {
+        [isMixin ? 'mixin' : 'objectClass']: masterTag._id
+      },
+      scope: 'space',
+      forbid: false,
+      label: view.string.AllowAttributeChanges,
+      description: masterTag.label,
+      targetClass: masterTag._id
+    },
+    `${masterTag._id}_allowed` as Ref<ClassPermission>
+  )
+  await client.createDoc(
+    core.class.ClassPermission,
+    core.space.Model,
+    {
+      objectClass,
+      txClass,
+      txMatch: {
+        [isMixin ? 'mixin' : 'objectClass']: masterTag._id
+      },
+      scope: 'space',
+      forbid: true,
+      label: view.string.ForbidAttributeChanges,
+      description: masterTag.label,
+      targetClass: masterTag._id
+    },
+    `${masterTag._id}_forbidden` as Ref<ClassPermission>
+  )
+
+  if (isMixin) {
+    await client.createDoc(
+      core.class.ClassPermission,
+      core.space.Model,
+      {
+        objectClass,
+        txClass: core.class.TxMixin,
+        txMatch: {
+          mixin: masterTag._id
+        },
+        scope: 'space',
+        forbid: false,
+        label: card.string.AddTagPermission,
+        description: masterTag.label,
+        targetClass: masterTag._id
+      },
+      `${masterTag._id}_create_allowed` as Ref<ClassPermission>
+    )
+    await client.createDoc(
+      core.class.ClassPermission,
+      core.space.Model,
+      {
+        objectClass,
+        txClass: core.class.TxMixin,
+        txMatch: {
+          mixin: masterTag._id
+        },
+        scope: 'space',
+        forbid: true,
+        label: card.string.ForbidAddTagPermission,
+        description: masterTag.label,
+        targetClass: masterTag._id
+      },
+      `${masterTag._id}_create_forbidden` as Ref<ClassPermission>
+    )
+    const key = `operations.$unset.${masterTag._id}`
+    await client.createDoc(
+      core.class.ClassPermission,
+      core.space.Model,
+      {
+        objectClass,
+        txClass: core.class.TxUpdateDoc,
+        txMatch: {
+          [key]: {
+            $exists: true
+          }
+        },
+        scope: 'space',
+        forbid: false,
+        label: card.string.RemoveTag,
+        description: masterTag.label,
+        targetClass: masterTag._id
+      },
+      `${masterTag._id}_remove_allowed` as Ref<ClassPermission>
+    )
+    await client.createDoc(
+      core.class.ClassPermission,
+      core.space.Model,
+      {
+        objectClass,
+        txClass: core.class.TxUpdateDoc,
+        txMatch: {
+          [key]: { $exists: true }
+        },
+        scope: 'space',
+        forbid: true,
+        label: card.string.ForbidRemoveTag,
+        description: masterTag.label,
+        targetClass: masterTag._id
+      },
+      `${masterTag._id}_remove_forbidden` as Ref<ClassPermission>
+    )
+  } else {
+    await client.createDoc(
+      core.class.ClassPermission,
+      core.space.Model,
+      {
+        objectClass,
+        txClass: core.class.TxCreateDoc,
+        scope: 'space',
+        forbid: false,
+        label: card.string.CreateCardPermission,
+        description: masterTag.label,
+        targetClass: masterTag._id
+      },
+      `${masterTag._id}_create_allowed` as Ref<ClassPermission>
+    )
+    await client.createDoc(
+      core.class.ClassPermission,
+      core.space.Model,
+      {
+        objectClass,
+        txClass: core.class.TxCreateDoc,
+        scope: 'space',
+        forbid: true,
+        label: card.string.ForbidCreateCardPermission,
+        description: masterTag.label,
+        targetClass: masterTag._id
+      },
+      `${masterTag._id}_create_forbidden` as Ref<ClassPermission>
+    )
+    await client.createDoc(
+      core.class.ClassPermission,
+      core.space.Model,
+      {
+        objectClass,
+        txClass: core.class.TxRemoveDoc,
+        scope: 'space',
+        forbid: false,
+        label: card.string.RemoveCard,
+        description: masterTag.label,
+        targetClass: masterTag._id
+      },
+      `${masterTag._id}_remove_allowed` as Ref<ClassPermission>
+    )
+    await client.createDoc(
+      core.class.ClassPermission,
+      core.space.Model,
+      {
+        objectClass,
+        txClass: core.class.TxRemoveDoc,
+        txMatch: {
+          objectClass: masterTag._id
+        },
+        scope: 'space',
+        forbid: true,
+        label: card.string.ForbidRemoveCard,
+        description: masterTag.label,
+        targetClass: masterTag._id
+      },
+      `${masterTag._id}_remove_forbidden` as Ref<ClassPermission>
+    )
+  }
+}
+
 async function cloneCard (
   origin: Card,
   overrideProps: Record<string, any>,

From 692b870523e9495f992c50c5533e5d0949eee109 Mon Sep 17 00:00:00 2001
From: Denis Bykhov <bykhov.denis@gmail.com>
Date: Sat, 10 Jan 2026 15:23:10 +0500
Subject: [PATCH 2/2] Remove extra

Signed-off-by: Denis Bykhov <bykhov.denis@gmail.com>
---
 .../src/components/settings/ProperitiesSection.svelte            | 1 -
 1 file changed, 1 deletion(-)

diff --git a/plugins/card-resources/src/components/settings/ProperitiesSection.svelte b/plugins/card-resources/src/components/settings/ProperitiesSection.svelte
index d8af6d34e99..27950a3f77d 100644
--- a/plugins/card-resources/src/components/settings/ProperitiesSection.svelte
+++ b/plugins/card-resources/src/components/settings/ProperitiesSection.svelte
@@ -25,7 +25,6 @@
   export let masterTag: MasterTag
 
   const client = getClient()
-  const hierarchy = client.getHierarchy()
 
   let isRestricted: boolean =
     client.getModel().findObject(getPermissionRef(false)) !== undefined ||