Align frontend and backend publication checks

core/src/main/java/org/fao/geonet/kernel/AccessManager.java

@@ -524,34 +524,58 @@ private boolean hasEditingPermissionWithProfile(final ServiceContext context, fi
     /**
      * Checks if the user has the specified profile or any profile with greater permissions within the group.
      *
-     * @param context The service context containing the user's session.
+     * @param userSession The user's session.
      * @param profile The profile to be verified.
      * @param groupId The ID of the group in which the user's profile is to be verified.
      * @return true if the user has the specified profile (or greater) within the group; false otherwise.
      */
-    public boolean isProfileOrMoreOnGroup(final ServiceContext context, Profile profile, final int groupId) {
-        UserSession us = context.getUserSession();
-        if (!isUserAuthenticated(us)) {
+    public boolean isProfileOrMoreOnGroup(final UserSession userSession, Profile profile, final int groupId) {
+        if (!isUserAuthenticated(userSession)) {
             return false;
         }
 
         // Grant access if the user is a global administrator
-        if (Profile.Administrator == us.getProfile()) {
+        if (Profile.Administrator == userSession.getProfile()) {
             return true;
         }
 
         // Get the profile and all its parent profiles to consider higher-level permissions
         Set<Profile> acceptedProfiles = profile.getProfileAndAllParents();
 
         // Build a specification to fetch any accepted profiles for the user in the specified group
-        Specification<UserGroup> spec = Specification.where(UserGroupSpecs.hasUserId(us.getUserIdAsInt()))
+        Specification<UserGroup> spec = Specification.where(UserGroupSpecs.hasUserId(userSession.getUserIdAsInt()))
             .and(UserGroupSpecs.hasGroupId(groupId))
             .and(UserGroupSpecs.hasProfileIn(acceptedProfiles));
         List<UserGroup> userGroups = userGroupRepository.findAll(spec);
 
         return !userGroups.isEmpty();
     }
 
+    /**
+     * Checks if the user has exactly the specified profile within the group.
+     *
+     * @param userSession The user's session.
+     * @param profile The exact profile to verify.
+     * @param groupId The ID of the group in which the user's profile is verified.
+     * @return true if the user has exactly the specified profile in the group; false otherwise.
+     */
+    public boolean isProfileOnGroup(final UserSession userSession, Profile profile, final int groupId) {
+        if (!isUserAuthenticated(userSession)) {
+            return false;
+        }
+
+        // Global administrators remain allowed regardless of group assignments.
+        if (Profile.Administrator == userSession.getProfile()) {
+            return true;
+        }
+
+        Specification<UserGroup> spec = Specification.where(UserGroupSpecs.hasUserId(userSession.getUserIdAsInt()))
+            .and(UserGroupSpecs.hasGroupId(groupId))
+            .and(UserGroupSpecs.hasProfile(profile));
+
+        return userGroupRepository.count(spec)> 0;
+    }
+
     public int getPrivilegeId(final String name) {
         final Operation op = operationRepository.findByName(name);
         if (op == null) {

docs/manual/docs/administrator-guide/configuring-the-catalog/system-configuration.md

@@ -340,10 +340,12 @@ Allows to configure the user profile allowed to delete published metadata.
 
 ## Metadata publication
 
-Allows to configure the user profile allowed to publish and un-publish metadata.
+Allows to configure the required user profile to publish and un-publish metadata.
 
--   **Minimum user profile allowed to publish metadata** Minimum user profile allowed to publish metadata (`Reviewer` or `Administrator`). The default value is `Reviewer`.
--   **Minimum user profile allowed to un-publish metadata** Minimum user profile allowed to un-publish metadata (`Reviewer` or `Administrator`). The default value is `Reviewer`.
+The configured profile is evaluated on the metadata owner group (per-group role), not the user's global profile. The user must have exactly this profile in the record owner group. For example, with `Reviewer`, only users who are `Reviewer` in the owner group are allowed (not `UserAdmin`). Global `Administrator` is always allowed.
+
+-   **Required profile to publish metadata** Profile required to publish metadata, evaluated in the record owner group (`Reviewer` or `Administrator`). The default value is `Reviewer`.
+-   **Required profile to un-publish metadata** Profile required to un-publish metadata, evaluated in the record owner group (`Reviewer` or `Administrator`). The default value is `Reviewer`.
 
 ![](img/metadata-publication.png)
 

docs/manual/docs/user-guide/publishing/managing-privileges.md

@@ -8,7 +8,7 @@ For example, you can specify that the metadata and related services are visible
 
     The privileges panel uses colour coding to identify different group types:
 
-    - **Blue rows** — [Reserved groups](../../administrator-guide/managing-users-and-groups/creating-group.md) (All, Intranet, Guest). Only Administrators and Reviewers can edit these privileges.
+    - **Blue rows** — [Reserved groups](../../administrator-guide/managing-users-and-groups/creating-group.md) (All, Intranet, Guest). Editing these privileges requires the configured publication profile on the record owner group (default: Reviewer). Administrators are always allowed.
     - **Yellow rows** — [Record Privilege Groups](../../administrator-guide/managing-users-and-groups/creating-group.md#2-record-privilege-group). These groups can be assigned privileges on specific records but cannot own metadata.
     - **No highlight** — Standard [Workspace Groups](../../administrator-guide/managing-users-and-groups/creating-group.md#1-workspace-group).
 
@@ -82,10 +82,10 @@ A *reviewer* / *editor* can edit a metadata if:
 A button to access the Privileges page for a metadata record displays in the search results or when you are viewing the record for:
 
 -   All Administrators
--   All Reviewers that are member of one of the groups assigned to the metadata owner.
+-   Users who meet the configured publication profile in the metadata owner group (default: Reviewer).
 -   The Owner of the metadata
 
-Only Administrators and Reviewers can edit privileges for the All and Intranet groups.
+Only users meeting the configured publication profile in the metadata owner group can edit privileges for reserved groups (All, Intranet, Guest). By default this is Reviewer.
 
 ## Setting Privileges on a selected set of metadata records
 

services/src/main/java/org/fao/geonet/api/doiservers/DoiServersApi.java

@@ -350,6 +350,6 @@ private boolean isMetadataOwnerOrReviewer(ServiceContext serviceContext, Integer
                                               Integer groupOwner, Profile userProfile) throws Exception {
 
         return (userProfile == Profile.Administrator) || accessManager.isOwner(serviceContext, String.valueOf(metadataId))
-            || accessManager.isProfileOrMoreOnGroup(serviceContext, Profile.Reviewer, groupOwner);
+            || accessManager.isProfileOrMoreOnGroup(serviceContext.getUserSession(), Profile.Reviewer, groupOwner);
     }
 }