From 26bf55aa5d0bed71fa720e3a61648e29afd4f395 Mon Sep 17 00:00:00 2001
From: Will Ezell <will@dotcms.com>
Date: Fri, 27 Feb 2026 09:58:54 -0500
Subject: [PATCH 1/4] debt(dwr): replacing PermissionAjax with rest endpoint

ref: #34797
---
 .../permission/AssetPermissionHelper.java     |  53 +++-
 .../system/permission/PermissionResource.java | 145 +++++++++++
 .../permission/PermissionableObjectView.java  |  70 +++++
 ...esponseEntityPermissionableObjectView.java |  14 +
 .../business/PermissionableObjectDWR.java     |   5 +
 .../dotmarketing/business/ajax/HostAjax.java  |   5 +
 .../dotmarketing/business/ajax/InodeAjax.java |   5 +
 .../business/ajax/PermissionAjax.java         |   5 +
 .../categories/ajax/CategoryAjax.java         |   5 +
 .../com/liferay/portal/util/PortalUtil.java   |   5 +-
 dotCMS/src/main/webapp/WEB-INF/dwr.xml        |  22 +-
 .../main/webapp/WEB-INF/openapi/openapi.yaml  | 106 ++++++++
 .../src/main/webapp/html/common/top_inc.jsp   |   2 -
 .../legacy-custom-field.jsp                   |   2 -
 .../webapp/html/ng-contentlet-selector.jsp    |   2 -
 .../ext/browser/view_browser_js_inc.jsp       |   7 +-
 .../ext/calendar/view_calendar_main_inc.jsp   |   1 -
 .../ext/categories/view_categories.jsp        | 244 ++++++++++++------
 .../ext/categories/view_categories_dialog.jsp |   2 -
 .../common/edit_permissions_tab_js_inc.jsp    | 215 ++++++++++++++-
 .../edit_permissions_tab_js_inc_ajax.jsp      | 206 ++++++++++++++-
 .../ext/contentlet/field/edit_field_js.jsp    |   1 -
 .../ext/contentlet/view_contentlets.jsp       |   1 -
 .../contentlet/view_contentlets_js_inc.jsp    |   7 +-
 .../ext/contentlet/view_contentlets_popup.jsp |   8 +-
 .../ext/files/upload_multiple_js_inc.jsp      |   1 -
 .../ext/fileupload/upload_multiple_js_inc.jsp |   1 -
 .../ext/hostadmin/view_hosts_js_inc.jsp       | 153 +++++------
 28 files changed, 1100 insertions(+), 193 deletions(-)
 create mode 100644 dotCMS/src/main/java/com/dotcms/rest/api/v1/system/permission/PermissionableObjectView.java
 create mode 100644 dotCMS/src/main/java/com/dotcms/rest/api/v1/system/permission/ResponseEntityPermissionableObjectView.java

diff --git a/dotCMS/src/main/java/com/dotcms/rest/api/v1/system/permission/AssetPermissionHelper.java b/dotCMS/src/main/java/com/dotcms/rest/api/v1/system/permission/AssetPermissionHelper.java
index f1f39f21f0a2..498ccafbc796 100644
--- a/dotCMS/src/main/java/com/dotcms/rest/api/v1/system/permission/AssetPermissionHelper.java
+++ b/dotCMS/src/main/java/com/dotcms/rest/api/v1/system/permission/AssetPermissionHelper.java
@@ -256,9 +256,13 @@ public List<RolePermissionView> buildRolePermissions(final Permissionable asset,
                 // Build individual permissions set
                 final Set<PermissionAPI.Type> individual = convertPermissionsToTypeSet(individualPermissions);
 
-                // Build inheritable permissions map (only for parent permissionables)
+                // Build inheritable permissions map.
+                // Always include when there are inheritable-type permissions, even for
+                // non-parent permissionables. The DWR compatibility layer in the JSP needs
+                // these to merge into the "individual" bucket (matching legacy DWR behavior
+                // where getPermissions() forced all types to "individual").
                 final Map<PermissionAPI.Scope, Set<PermissionAPI.Type>> inheritable;
-                if (isParentPermissionable && !inheritablePermissions.isEmpty()) {
+                if (!inheritablePermissions.isEmpty()) {
                     inheritable = buildInheritablePermissionMap(inheritablePermissions);
                 } else {
                     inheritable = null;
@@ -990,6 +994,51 @@ private UpdateRolePermissionsView buildRolePermissionUpdateResponse(final Permis
             .build();
     }
 
+    /**
+     * Builds a PermissionableObjectView for the given asset.
+     * Returns metadata needed by the permissions tab UI to determine which
+     * permission options to display.
+     *
+     * <p>Replaces the legacy {@code PermissionAjax.getAsset()} DWR method.
+     *
+     * @param assetId Asset identifier (inode or identifier)
+     * @param user    Requesting user
+     * @return PermissionableObjectView containing asset metadata
+     * @throws DotDataException     If there's an error accessing data
+     * @throws DotSecurityException If security validation fails
+     */
+    public PermissionableObjectView getPermissionableObjectView(final String assetId,
+                                                                  final User user)
+            throws DotDataException, DotSecurityException {
+
+        final Permissionable asset = resolveAsset(assetId);
+        if (asset == null) {
+            throw new NotFoundInDbException(String.format("Asset not found: %s", assetId));
+        }
+
+        final boolean isFolder = asset instanceof Folder;
+        final boolean isHost = asset instanceof Host
+                || (asset instanceof Contentlet
+                    && ((Contentlet) asset).isHost());
+        final boolean isContentType = asset instanceof com.dotcms.contenttype.model.type.ContentType
+                || asset instanceof com.dotmarketing.portlets.structure.model.Structure;
+        final boolean isParentPermissionable = asset.isParentPermissionable();
+        final boolean canEditPermissions = permissionAPI.doesUserHavePermission(
+            asset, PermissionAPI.PERMISSION_EDIT_PERMISSIONS, user, false);
+
+        final String type = asset.getClass().getName();
+
+        return new PermissionableObjectView(
+            asset.getPermissionId(),
+            type,
+            isFolder,
+            isHost,
+            isContentType,
+            isParentPermissionable,
+            canEditPermissions
+        );
+    }
+
     /**
      * Builds asset view with permissions filtered to a specific role.
      *
diff --git a/dotCMS/src/main/java/com/dotcms/rest/api/v1/system/permission/PermissionResource.java b/dotCMS/src/main/java/com/dotcms/rest/api/v1/system/permission/PermissionResource.java
index 8e8aa4c42cb0..eb169db7c127 100644
--- a/dotCMS/src/main/java/com/dotcms/rest/api/v1/system/permission/PermissionResource.java
+++ b/dotCMS/src/main/java/com/dotcms/rest/api/v1/system/permission/PermissionResource.java
@@ -4,6 +4,7 @@
 import com.dotcms.rest.InitDataObject;
 import com.dotcms.rest.Pagination;
 import com.dotcms.rest.ResponseEntityPaginatedDataView;
+import com.dotcms.rest.ResponseEntityStringView;
 import com.dotcms.rest.ResponseEntityView;
 import com.dotcms.rest.WebResource;
 import com.dotcms.rest.annotation.NoCache;
@@ -1142,4 +1143,148 @@ public ResponseEntityUpdateRolePermissionsView updateRolePermissions(
 
         return new ResponseEntityUpdateRolePermissionsView(result);
     }
+
+    /**
+     * Breaks permission inheritance for a specific asset, making it have its own
+     * individual permissions (copied from parent). This is used when an asset is
+     * currently inheriting permissions and the user wants to customize them.
+     *
+     * @param request  HTTP servlet request
+     * @param response HTTP servlet response
+     * @param assetId  Asset identifier (inode or identifier)
+     * @return ResponseEntityStringView with success message
+     * @throws DotDataException     If there's an error accessing permission data
+     * @throws DotSecurityException If security validation fails
+     */
+    @Operation(
+        summary = "Break permission inheritance",
+        description = "Breaks permission inheritance for a specific asset, giving it individual " +
+                     "permissions copied from its parent. After this operation, the asset's permissions " +
+                     "can be modified independently of the parent."
+    )
+    @ApiResponses(value = {
+        @ApiResponse(responseCode = "200",
+                    description = "Inheritance broken successfully",
+                    content = @Content(mediaType = "application/json",
+                                      schema = @Schema(implementation = ResponseEntityStringView.class))),
+        @ApiResponse(responseCode = "401",
+                    description = "Unauthorized - authentication required",
+                    content = @Content(mediaType = "application/json")),
+        @ApiResponse(responseCode = "403",
+                    description = "Forbidden - user lacks EDIT_PERMISSIONS on asset",
+                    content = @Content(mediaType = "application/json")),
+        @ApiResponse(responseCode = "404",
+                    description = "Asset not found",
+                    content = @Content(mediaType = "application/json"))
+    })
+    @PUT
+    @Path("/{assetId}/_individualpermission")
+    @JSONP
+    @NoCache
+    @Produces({MediaType.APPLICATION_JSON})
+    public ResponseEntityStringView permissionIndividually(
+            final @Context HttpServletRequest request,
+            final @Context HttpServletResponse response,
+            @Parameter(description = "Asset identifier (inode or identifier)", required = true)
+            final @PathParam("assetId") String assetId)
+            throws DotDataException, DotSecurityException {
+
+        Logger.debug(this, () -> String.format(
+            "permissionIndividually called - assetId: %s", assetId));
+
+        final User user = new WebResource.InitBuilder(webResource)
+                .requiredBackendUser(true)
+                .requiredFrontendUser(false)
+                .requestAndResponse(request, response)
+                .rejectWhenNoUser(true)
+                .init()
+                .getUser();
+
+        if (!UtilMethods.isSet(assetId)) {
+            throw new BadRequestException("Asset ID is required");
+        }
+
+        final Permissionable asset = assetPermissionHelper.resolveAsset(assetId);
+        if (asset == null) {
+            throw new NotFoundInDbException(String.format("Asset not found: %s", assetId));
+        }
+
+        final PermissionAPI permissionAPI = APILocator.getPermissionAPI();
+        if (!permissionAPI.doesUserHavePermission(asset, PermissionAPI.PERMISSION_EDIT_PERMISSIONS, user)) {
+            throw new DotSecurityException("User does not have permission to edit permissions on this asset");
+        }
+
+        final Permissionable parentPermissionable = permissionAPI.findParentPermissionable(asset);
+        if (parentPermissionable != null) {
+            permissionAPI.permissionIndividually(parentPermissionable, asset, user);
+        }
+
+        Logger.info(this, () -> String.format(
+            "Successfully broke permission inheritance for asset: %s", assetId));
+
+        return new ResponseEntityStringView("Permission inheritance broken successfully");
+    }
+
+    /**
+     * Retrieves metadata about a permissionable asset, including type information
+     * and permission flags. Used by the permissions tab UI to determine which
+     * permission options to display.
+     *
+     * @param request  HTTP servlet request
+     * @param response HTTP servlet response
+     * @param assetId  Asset identifier (inode or identifier)
+     * @return ResponseEntityPermissionableObjectView containing asset metadata
+     * @throws DotDataException     If there's an error accessing data
+     * @throws DotSecurityException If security validation fails
+     */
+    @Operation(
+        summary = "Get permissionable asset metadata",
+        description = "Retrieves metadata about a permissionable asset including its type, " +
+                     "whether it is a folder/host/content type, and whether the current user " +
+                     "has permission to edit its permissions."
+    )
+    @ApiResponses(value = {
+        @ApiResponse(responseCode = "200",
+                    description = "Asset metadata retrieved successfully",
+                    content = @Content(mediaType = "application/json",
+                                      schema = @Schema(implementation = ResponseEntityPermissionableObjectView.class))),
+        @ApiResponse(responseCode = "401",
+                    description = "Unauthorized - authentication required",
+                    content = @Content(mediaType = "application/json")),
+        @ApiResponse(responseCode = "404",
+                    description = "Asset not found",
+                    content = @Content(mediaType = "application/json"))
+    })
+    @GET
+    @Path("/{assetId}/_permissionable")
+    @JSONP
+    @NoCache
+    @Produces({MediaType.APPLICATION_JSON})
+    public ResponseEntityPermissionableObjectView getPermissionableObject(
+            final @Context HttpServletRequest request,
+            final @Context HttpServletResponse response,
+            @Parameter(description = "Asset identifier (inode or identifier)", required = true)
+            final @PathParam("assetId") String assetId)
+            throws DotDataException, DotSecurityException {
+
+        Logger.debug(this, () -> String.format(
+            "getPermissionableObject called - assetId: %s", assetId));
+
+        final User user = new WebResource.InitBuilder(webResource)
+                .requiredBackendUser(true)
+                .requiredFrontendUser(false)
+                .requestAndResponse(request, response)
+                .rejectWhenNoUser(true)
+                .init()
+                .getUser();
+
+        if (!UtilMethods.isSet(assetId)) {
+            throw new BadRequestException("Asset ID is required");
+        }
+
+        final PermissionableObjectView view = assetPermissionHelper.getPermissionableObjectView(
+            assetId, user);
+
+        return new ResponseEntityPermissionableObjectView(view);
+    }
 }
diff --git a/dotCMS/src/main/java/com/dotcms/rest/api/v1/system/permission/PermissionableObjectView.java b/dotCMS/src/main/java/com/dotcms/rest/api/v1/system/permission/PermissionableObjectView.java
new file mode 100644
index 000000000000..eb02e718031f
--- /dev/null
+++ b/dotCMS/src/main/java/com/dotcms/rest/api/v1/system/permission/PermissionableObjectView.java
@@ -0,0 +1,70 @@
+package com.dotcms.rest.api.v1.system.permission;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+/**
+ * View object representing metadata about a permissionable asset.
+ * Used by the permissions tab to determine UI rendering (e.g., which
+ * permission checkboxes to show, whether to show folder/host-specific options).
+ *
+ * <p>Replaces the legacy {@code PermissionableObjectDWR} used by DWR.
+ */
+public class PermissionableObjectView {
+
+    private final String id;
+    private final String type;
+    private final boolean isFolder;
+    private final boolean isHost;
+    private final boolean isContentType;
+    private final boolean isParentPermissionable;
+    private final boolean doesUserHavePermissionsToEdit;
+
+    public PermissionableObjectView(final String id,
+                                     final String type,
+                                     final boolean isFolder,
+                                     final boolean isHost,
+                                     final boolean isContentType,
+                                     final boolean isParentPermissionable,
+                                     final boolean doesUserHavePermissionsToEdit) {
+        this.id = id;
+        this.type = type;
+        this.isFolder = isFolder;
+        this.isHost = isHost;
+        this.isContentType = isContentType;
+        this.isParentPermissionable = isParentPermissionable;
+        this.doesUserHavePermissionsToEdit = doesUserHavePermissionsToEdit;
+    }
+
+    public String getId() {
+        return id;
+    }
+
+    public String getType() {
+        return type;
+    }
+
+    @JsonProperty("isFolder")
+    public boolean isFolder() {
+        return isFolder;
+    }
+
+    @JsonProperty("isHost")
+    public boolean isHost() {
+        return isHost;
+    }
+
+    @JsonProperty("isContentType")
+    public boolean isContentType() {
+        return isContentType;
+    }
+
+    @JsonProperty("isParentPermissionable")
+    public boolean isParentPermissionable() {
+        return isParentPermissionable;
+    }
+
+    @JsonProperty("doesUserHavePermissionsToEdit")
+    public boolean isDoesUserHavePermissionsToEdit() {
+        return doesUserHavePermissionsToEdit;
+    }
+}
diff --git a/dotCMS/src/main/java/com/dotcms/rest/api/v1/system/permission/ResponseEntityPermissionableObjectView.java b/dotCMS/src/main/java/com/dotcms/rest/api/v1/system/permission/ResponseEntityPermissionableObjectView.java
new file mode 100644
index 000000000000..fc9fc56f1e36
--- /dev/null
+++ b/dotCMS/src/main/java/com/dotcms/rest/api/v1/system/permission/ResponseEntityPermissionableObjectView.java
@@ -0,0 +1,14 @@
+package com.dotcms.rest.api.v1.system.permission;
+
+import com.dotcms.rest.ResponseEntityView;
+
+/**
+ * Typed ResponseEntityView for PermissionableObjectView.
+ * Used for accurate Swagger schema documentation.
+ */
+public class ResponseEntityPermissionableObjectView extends ResponseEntityView<PermissionableObjectView> {
+
+    public ResponseEntityPermissionableObjectView(final PermissionableObjectView entity) {
+        super(entity);
+    }
+}
diff --git a/dotCMS/src/main/java/com/dotmarketing/business/PermissionableObjectDWR.java b/dotCMS/src/main/java/com/dotmarketing/business/PermissionableObjectDWR.java
index ab8914007616..ebdcdce8ed9c 100644
--- a/dotCMS/src/main/java/com/dotmarketing/business/PermissionableObjectDWR.java
+++ b/dotCMS/src/main/java/com/dotmarketing/business/PermissionableObjectDWR.java
@@ -1,5 +1,10 @@
 package com.dotmarketing.business;
 
+/**
+ * @deprecated This DWR bean is deprecated and will be removed in a future release.
+ *             Use {@link com.dotcms.rest.api.v1.system.permission.PermissionableObjectView} instead.
+ */
+@Deprecated(forRemoval = true)
 public class PermissionableObjectDWR {
 	
 	private String id;
diff --git a/dotCMS/src/main/java/com/dotmarketing/business/ajax/HostAjax.java b/dotCMS/src/main/java/com/dotmarketing/business/ajax/HostAjax.java
index 37d52d25eb1d..f9bcc8fe33dd 100644
--- a/dotCMS/src/main/java/com/dotmarketing/business/ajax/HostAjax.java
+++ b/dotCMS/src/main/java/com/dotmarketing/business/ajax/HostAjax.java
@@ -47,6 +47,11 @@
  * @version 1.0
  * @since Mar 22, 2012
  */
+/**
+ * @deprecated This DWR class is deprecated and will be removed in a future release.
+ *             Use the JAX-RS REST API at {@code /api/v1/site/} instead.
+ */
+@Deprecated(forRemoval = true)
 public class HostAjax {
 
 	private final HostAPI hostAPI = APILocator.getHostAPI();
diff --git a/dotCMS/src/main/java/com/dotmarketing/business/ajax/InodeAjax.java b/dotCMS/src/main/java/com/dotmarketing/business/ajax/InodeAjax.java
index 5a3b665bac35..09973d93df47 100644
--- a/dotCMS/src/main/java/com/dotmarketing/business/ajax/InodeAjax.java
+++ b/dotCMS/src/main/java/com/dotmarketing/business/ajax/InodeAjax.java
@@ -7,6 +7,11 @@
 import com.dotmarketing.util.InodeUtils;
 import com.dotmarketing.util.Logger;
 
+/**
+ * @deprecated This DWR class is deprecated and will be removed in a future release.
+ *             No JSP callers remain. DWR entry removed from dwr.xml.
+ */
+@Deprecated(forRemoval = true)
 public class InodeAjax {
 	
 	public int compareInodes(String inodeStr1,String inodeStr2){
diff --git a/dotCMS/src/main/java/com/dotmarketing/business/ajax/PermissionAjax.java b/dotCMS/src/main/java/com/dotmarketing/business/ajax/PermissionAjax.java
index 690cb0a62346..cb38f7fa38ed 100644
--- a/dotCMS/src/main/java/com/dotmarketing/business/ajax/PermissionAjax.java
+++ b/dotCMS/src/main/java/com/dotmarketing/business/ajax/PermissionAjax.java
@@ -64,6 +64,11 @@
  * @author davidtorresv
  *
  */
+/**
+ * @deprecated This DWR class is deprecated and will be removed in a future release.
+ *             Use the JAX-RS REST API at {@code /api/v1/permissions/} instead.
+ */
+@Deprecated(forRemoval = true)
 public class PermissionAjax {
 
     private final ContentletAPI contentletAPI = APILocator.getContentletAPI();
diff --git a/dotCMS/src/main/java/com/dotmarketing/portlets/categories/ajax/CategoryAjax.java b/dotCMS/src/main/java/com/dotmarketing/portlets/categories/ajax/CategoryAjax.java
index e047a9173948..9e7d889518f5 100644
--- a/dotCMS/src/main/java/com/dotmarketing/portlets/categories/ajax/CategoryAjax.java
+++ b/dotCMS/src/main/java/com/dotmarketing/portlets/categories/ajax/CategoryAjax.java
@@ -37,6 +37,11 @@
 /**
  * @author David
  */
+/**
+ * @deprecated This DWR class is deprecated and will be removed in a future release.
+ *             Use the JAX-RS REST API at {@code /api/v1/categories/} instead.
+ */
+@Deprecated(forRemoval = true)
 public class CategoryAjax {
 
 	private CategoryAPI categoryAPI = APILocator.getCategoryAPI();
diff --git a/dotCMS/src/main/java/com/liferay/portal/util/PortalUtil.java b/dotCMS/src/main/java/com/liferay/portal/util/PortalUtil.java
index fa9ee5f77c07..68be0598f6ac 100644
--- a/dotCMS/src/main/java/com/liferay/portal/util/PortalUtil.java
+++ b/dotCMS/src/main/java/com/liferay/portal/util/PortalUtil.java
@@ -427,7 +427,10 @@ public static User getUserFromAuthHeader(HttpServletRequest req) {
       return null;
     }
 
-    String tok = req.getHeader("Authorization").replace("Bearer ", "").trim();
+    String tok = req.getHeader("Authorization")
+            .replace("Bearer ", "")
+            .replace("bearer ", "")
+            .trim();
 
     return Try.of(() -> JsonWebTokenFactory.getInstance().getJsonWebTokenService().parseToken(tok).getActiveUser()
             .orElse(null)).getOrNull();
diff --git a/dotCMS/src/main/webapp/WEB-INF/dwr.xml b/dotCMS/src/main/webapp/WEB-INF/dwr.xml
index d85feac1d805..7b2b4a07e955 100644
--- a/dotCMS/src/main/webapp/WEB-INF/dwr.xml
+++ b/dotCMS/src/main/webapp/WEB-INF/dwr.xml
@@ -10,9 +10,7 @@
     <create creator="new" javascript="ContentletAjax" scope="application">
       <param name="class" value="com.dotmarketing.portlets.contentlet.ajax.ContentletAjax"/>
     </create>
-    <create creator="new" javascript="CategoryAjax" scope="application">
-      <param name="class" value="com.dotmarketing.portlets.categories.ajax.CategoryAjax"/>
-    </create>
+    <!-- CategoryAjax removed - migrated to JAX-RS /api/v1/categories -->
     <create creator="new" javascript="BrowserAjax" scope="application">
       <param name="class" value="com.dotmarketing.portlets.browser.ajax.BrowserAjax"/>
     </create>
@@ -34,15 +32,9 @@
     <create creator="new" javascript="LanguageAjax" scope="application">
       <param name="class" value="com.dotmarketing.portlets.languagesmanager.ajax.LanguageAjax"/>
     </create>
-    <create creator="new" javascript="InodeAjax" scope="application">
-      <param name="class" value="com.dotmarketing.business.ajax.InodeAjax"/>
-    </create>
-    <create creator="new" javascript="PermissionAjax" scope="application">
-      <param name="class" value="com.dotmarketing.business.ajax.PermissionAjax"/>
-    </create>
-    <create creator="new" javascript="HostAjax" scope="application">
-      <param name="class" value="com.dotmarketing.business.ajax.HostAjax"/>
-    </create>
+    <!-- InodeAjax removed - no callers, deprecated -->
+    <!-- PermissionAjax removed - migrated to JAX-RS REST compatibility layer in JSP -->
+    <!-- HostAjax removed - migrated to JAX-RS /api/v1/site -->
     <create creator="new" javascript="HostVariableAjax" scope="application">
       <param name="class" value="com.dotmarketing.portlets.hostvariable.ajax.HostVariableAjax"/>
     </create>
@@ -102,10 +94,6 @@
 	</convert>
 	<convert match="java.lang.StackTraceElement" converter="bean"/>
 	<convert converter="null" match="java.io.File"/>
-	<convert converter="bean"
-      match="com.dotmarketing.business.PermissionableObjectDWR">
-      <param name="include"
-        value="id,type,isParentPermissionable,doesUserHavePermissionsToEdit,isFolder,isHost"/>
-    </convert>
+	<!-- PermissionableObjectDWR removed - replaced by PermissionableObjectView in REST API -->
   </allow>
 </dwr>
diff --git a/dotCMS/src/main/webapp/WEB-INF/openapi/openapi.yaml b/dotCMS/src/main/webapp/WEB-INF/openapi/openapi.yaml
index 5b04a806fed2..daf3a0f5cb66 100644
--- a/dotCMS/src/main/webapp/WEB-INF/openapi/openapi.yaml
+++ b/dotCMS/src/main/webapp/WEB-INF/openapi/openapi.yaml
@@ -11125,6 +11125,72 @@ paths:
       summary: Update asset permissions
       tags:
       - Permissions
+  /v1/permissions/{assetId}/_individualpermission:
+    put:
+      description: "Breaks permission inheritance for a specific asset, giving it\
+        \ individual permissions copied from its parent. After this operation, the\
+        \ asset's permissions can be modified independently of the parent."
+      operationId: permissionIndividually
+      parameters:
+      - description: Asset identifier (inode or identifier)
+        in: path
+        name: assetId
+        required: true
+        schema:
+          type: string
+      responses:
+        "200":
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/ResponseEntityStringView"
+          description: Inheritance broken successfully
+        "401":
+          content:
+            application/json: {}
+          description: Unauthorized - authentication required
+        "403":
+          content:
+            application/json: {}
+          description: Forbidden - user lacks EDIT_PERMISSIONS on asset
+        "404":
+          content:
+            application/json: {}
+          description: Asset not found
+      summary: Break permission inheritance
+      tags:
+      - Permissions
+  /v1/permissions/{assetId}/_permissionable:
+    get:
+      description: "Retrieves metadata about a permissionable asset including its\
+        \ type, whether it is a folder/host/content type, and whether the current\
+        \ user has permission to edit its permissions."
+      operationId: getPermissionableObject
+      parameters:
+      - description: Asset identifier (inode or identifier)
+        in: path
+        name: assetId
+        required: true
+        schema:
+          type: string
+      responses:
+        "200":
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/ResponseEntityPermissionableObjectView"
+          description: Asset metadata retrieved successfully
+        "401":
+          content:
+            application/json: {}
+          description: Unauthorized - authentication required
+        "404":
+          content:
+            application/json: {}
+          description: Asset not found
+      summary: Get permissionable asset metadata
+      tags:
+      - Permissions
   /v1/permissions/{assetId}/_reset:
     put:
       description: "Removes all individual permissions from an asset, making it inherit\
@@ -24490,6 +24556,23 @@ components:
           type: string
         permissionType:
           type: string
+    PermissionableObjectView:
+      type: object
+      properties:
+        doesUserHavePermissionsToEdit:
+          type: boolean
+        id:
+          type: string
+        isContentType:
+          type: boolean
+        isFolder:
+          type: boolean
+        isHost:
+          type: boolean
+        isParentPermissionable:
+          type: boolean
+        type:
+          type: string
     Persona:
       type: object
       properties:
@@ -26159,6 +26242,29 @@ components:
           type: array
           items:
             type: string
+    ResponseEntityPermissionableObjectView:
+      type: object
+      properties:
+        entity:
+          $ref: "#/components/schemas/PermissionableObjectView"
+        errors:
+          type: array
+          items:
+            $ref: "#/components/schemas/ErrorEntity"
+        i18nMessagesMap:
+          type: object
+          additionalProperties:
+            type: string
+        messages:
+          type: array
+          items:
+            $ref: "#/components/schemas/MessageEntity"
+        pagination:
+          $ref: "#/components/schemas/Pagination"
+        permissions:
+          type: array
+          items:
+            type: string
     ResponseEntityPermissionsByTypeView:
       type: object
       properties:
diff --git a/dotCMS/src/main/webapp/html/common/top_inc.jsp b/dotCMS/src/main/webapp/html/common/top_inc.jsp
index 91337189a700..17a55d9b4283 100644
--- a/dotCMS/src/main/webapp/html/common/top_inc.jsp
+++ b/dotCMS/src/main/webapp/html/common/top_inc.jsp
@@ -106,12 +106,10 @@ THIS FILE AND ITS INCLUDES
 	<script type="text/javascript" src="/html/js/dwr-cookie-security.js?b=<%= ReleaseInfo.getVersion() %>"></script>
 	<script type="text/javascript" src="/dwr/engine.js?b=<%= ReleaseInfo.getVersion() %>"></script>
 	<script type="text/javascript" src="/dwr/util.js?b=<%= ReleaseInfo.getVersion() %>"></script>
-	<script type="text/javascript" src="/dwr/interface/HostAjax.js?b=<%= ReleaseInfo.getVersion() %>"></script>
 	<script type="text/javascript" src="/dwr/interface/ContainerAjax.js?b=<%= ReleaseInfo.getVersion() %>"></script>
 	<script type="text/javascript" src="/dwr/interface/RoleAjax.js?b=<%= ReleaseInfo.getVersion() %>"></script>
 	<script type="text/javascript" src="/dwr/interface/BrowserAjax.js?b=<%= ReleaseInfo.getVersion() %>"></script>
 	<script type="text/javascript" src="/dwr/interface/UserAjax.js?b=<%= ReleaseInfo.getVersion() %>"></script>
-	<script type="text/javascript" src="/dwr/interface/InodeAjax.js?b=<%= ReleaseInfo.getVersion() %>"></script>
 
 
 	<script type="text/javascript">
diff --git a/dotCMS/src/main/webapp/html/legacy_custom_field/legacy-custom-field.jsp b/dotCMS/src/main/webapp/html/legacy_custom_field/legacy-custom-field.jsp
index ae065ee64f71..ae1479c07cef 100644
--- a/dotCMS/src/main/webapp/html/legacy_custom_field/legacy-custom-field.jsp
+++ b/dotCMS/src/main/webapp/html/legacy_custom_field/legacy-custom-field.jsp
@@ -108,12 +108,10 @@
 <script type="text/javascript" src="/html/js/dwr-cookie-security.js?b=<%= ReleaseInfo.getVersion() %>"></script>
 <script type="text/javascript" src="/dwr/engine.js?b=<%= ReleaseInfo.getVersion() %>"></script>
 <script type="text/javascript" src="/dwr/util.js?b=<%= ReleaseInfo.getVersion() %>"></script>
-<script type="text/javascript" src="/dwr/interface/HostAjax.js?b=<%= ReleaseInfo.getVersion() %>"></script>
 <script type="text/javascript" src="/dwr/interface/ContainerAjax.js?b=<%= ReleaseInfo.getVersion() %>"></script>
 <script type="text/javascript" src="/dwr/interface/RoleAjax.js?b=<%= ReleaseInfo.getVersion() %>"></script>
 <script type="text/javascript" src="/dwr/interface/BrowserAjax.js?b=<%= ReleaseInfo.getVersion() %>"></script>
 <script type="text/javascript" src="/dwr/interface/UserAjax.js?b=<%= ReleaseInfo.getVersion() %>"></script>
-<script type="text/javascript" src="/dwr/interface/InodeAjax.js?b=<%= ReleaseInfo.getVersion() %>"></script>
 <%
     // Cache busting for development - use timestamp
     String cacheBuster = String.valueOf(System.currentTimeMillis());
diff --git a/dotCMS/src/main/webapp/html/ng-contentlet-selector.jsp b/dotCMS/src/main/webapp/html/ng-contentlet-selector.jsp
index fba147d8d001..5c1f8c22e63a 100644
--- a/dotCMS/src/main/webapp/html/ng-contentlet-selector.jsp
+++ b/dotCMS/src/main/webapp/html/ng-contentlet-selector.jsp
@@ -248,8 +248,6 @@
     <script type="text/javascript" src="/dwr/interface/StructureAjax.js"></script>
     <script type="text/javascript" src="/dwr/interface/ContentletAjax.js"></script>
     <script type="text/javascript" src="/dwr/interface/BrowserAjax.js"></script>
-    <script type="text/javascript" src="/dwr/interface/CategoryAjax.js"></script>
-
 
     <script type="text/javascript">
         dojo.require("dotcms.dijit.form.ContentSelector");
diff --git a/dotCMS/src/main/webapp/html/portlet/ext/browser/view_browser_js_inc.jsp b/dotCMS/src/main/webapp/html/portlet/ext/browser/view_browser_js_inc.jsp
index 3abecafa6932..4ce888366d00 100644
--- a/dotCMS/src/main/webapp/html/portlet/ext/browser/view_browser_js_inc.jsp
+++ b/dotCMS/src/main/webapp/html/portlet/ext/browser/view_browser_js_inc.jsp
@@ -36,8 +36,6 @@ Structure defaultFileAssetStructure = CacheLocator.getContentTypeCache().getStru
     }
 </style>
 
-<script type="text/javascript" src="/dwr/interface/HostAjax.js"></script>
-
 <script src="/html/js/scriptaculous/prototype.js" type="text/javascript"></script>
 <script src="/html/js/scriptaculous/scriptaculous.js" type="text/javascript"></script>
 
@@ -1149,7 +1147,10 @@ Structure defaultFileAssetStructure = CacheLocator.getContentTypeCache().getStru
 
     function setAsDefaultHost(objId,referer) {
         if (confirm('<%= UtilMethods.escapeSingleQuotes(LanguageUtil.get(pageContext, "Are-you-sure-you-want-to-set-this-host-as-the-default-host")) %>')) {
-            HostAjax.makeDefault(objId, setAsDefaultHostCallback);
+            fetch('/api/v1/site/' + objId + '/_makedefault', {method: 'PUT', cache: 'no-cache'})
+                .then(function(r) { return r.json(); })
+                .then(function() { setAsDefaultHostCallback(); })
+                .catch(function(error) { console.error('Error setting default host:', error); });
         }
     }
 
diff --git a/dotCMS/src/main/webapp/html/portlet/ext/calendar/view_calendar_main_inc.jsp b/dotCMS/src/main/webapp/html/portlet/ext/calendar/view_calendar_main_inc.jsp
index 9dbe741da6fa..77bed310ebc0 100644
--- a/dotCMS/src/main/webapp/html/portlet/ext/calendar/view_calendar_main_inc.jsp
+++ b/dotCMS/src/main/webapp/html/portlet/ext/calendar/view_calendar_main_inc.jsp
@@ -38,7 +38,6 @@
 <%@page import="com.dotmarketing.business.PermissionAPI"%>
 
 <script type='text/javascript' src='/dwr/interface/CalendarAjax.js'></script>
-<script type='text/javascript' src='/dwr/interface/CategoryAjax.js'></script>
 <script type='text/javascript' src='/dwr/interface/StructureAjax.js'></script>
 <script type='text/javascript' src='/dwr/interface/TagAjax.js'></script>
 <script type='text/javascript' src='/dwr/engine.js'></script>
diff --git a/dotCMS/src/main/webapp/html/portlet/ext/categories/view_categories.jsp b/dotCMS/src/main/webapp/html/portlet/ext/categories/view_categories.jsp
index 191f001235ae..bf2daa8a494d 100644
--- a/dotCMS/src/main/webapp/html/portlet/ext/categories/view_categories.jsp
+++ b/dotCMS/src/main/webapp/html/portlet/ext/categories/view_categories.jsp
@@ -58,7 +58,6 @@
     }
 
 </style>
-<script type="text/javascript" src="/dwr/interface/CategoryAjax.js"></script>
 <script type="text/javascript">
     dojo.require("dojox.grid.enhanced.plugins.Pagination");
     dojo.require("dojox.grid.enhanced.plugins.Search");
@@ -125,7 +124,18 @@
     };
 
     var sortCat = function() {
-        CategoryAjax.sortCategory(this.name, this.value);
+        var inode = this.name;
+        var sortOrder = parseInt(this.value, 10);
+        var categoryData = {};
+        categoryData[inode] = sortOrder;
+        fetch('/api/v1/categories/_sort', {
+            method: 'PUT',
+            cache: 'no-cache',
+            headers: {'Content-Type': 'application/json'},
+            body: JSON.stringify({categoryData: categoryData, parentInode: currentInodeOrIdentifier || null})
+        })
+        .then(function(r) { return r.json(); })
+        .catch(function(error) { console.error('Error updating sort order:', error); });
     };
 
     var sortSelectable = function() {
@@ -585,14 +595,19 @@
 			}
         }
 
-        CategoryAjax.getCategoryMap(inode,getCategoryMapCallback);
+        if (inode && inode !== '0') {
+            fetch('/api/v1/categories/' + encodeURIComponent(inode), {cache: 'no-cache'})
+                .then(function(r) { return r.json(); })
+                .then(function(data) { getCategoryMapCallback(data.entity); })
+                .catch(function(error) { console.error('Error fetching category:', error); });
+        }
     }
 
     function getCategoryMapCallback(categoryMap){
         var inode = categoryMap['inode'];
-        var name = categoryMap['category_name'];
-        var velVar = categoryMap['category_velocity_var_name'];
-        var key = categoryMap['category_key'];
+        var name = categoryMap['categoryName'];
+        var velVar = categoryMap['categoryVelocityVarName'];
+        var key = categoryMap['key'];
         var keywords = categoryMap['keywords'];
 
         key = key=="null"?"":key;
@@ -616,25 +631,35 @@
                 var dia = dijit.byId('dotDeleteCategoriesDialog');
                 dia.show();
 
-                CategoryAjax.deleteCategories(currentInodeOrIdentifier, {
-                    callback:function(result) {
-                        if(result==0) {
+                var deleteBody = currentInodeOrIdentifier ? [currentInodeOrIdentifier] : [];
+                fetch('/api/v1/categories', {
+                    method: 'DELETE',
+                    cache: 'no-cache',
+                    headers: {'Content-Type': 'application/json'},
+                    body: JSON.stringify(deleteBody)
+                })
+                .then(function(r) { return r.json(); })
+                .then(function(data) {
+                    var result = data.entity;
+                    if (result && result.fails && result.fails.length > 0) {
+                        dojo.byId("warningDiv").innerHTML = '<%= LanguageUtil.get(pageContext, "message.category.delete.failed.has.dependencies") %>';
+                        var t = new dojox.timing.Timer();
+                        t.setInterval(5000);
+                        t.onTick = function() {
+                            t.stop();
                             dojo.byId("warningDiv").innerHTML = '';
-                        } else if(result==1) {
-                            dojo.byId("warningDiv").innerHTML = '<%= LanguageUtil.get(pageContext, "message.category.delete.failed.has.dependencies") %>';
-                            var t = new dojox.timing.Timer();
-                            t.setInterval(5000);
-                            t.onTick = function() {
-                                t.stop();
-                                dojo.byId("warningDiv").innerHTML = '';
-                            };
-                            t.start();
-                        }
-
-                        dia.hide();
-                        doSearch(false, true);
-                        grid.selection.clear();
+                        };
+                        t.start();
+                    } else {
+                        dojo.byId("warningDiv").innerHTML = '';
                     }
+                    dia.hide();
+                    doSearch(false, true);
+                    grid.selection.clear();
+                })
+                .catch(function(error) {
+                    console.error('Error deleting categories:', error);
+                    dia.hide();
                 });
             }
 
@@ -648,27 +673,34 @@
                     inodes[index] = selectedItem.i.inode;
                 });
 
-                CategoryAjax.deleteSelectedCategories(inodes, {
-                    callback:function(result) {
-                        if(result==0) {
-                            dojo.byId("warningDiv").innerHTML = '';
-                        } else if(result==1) { // has dependencies
-                            dojo.byId("warningDiv").innerHTML = '<%= LanguageUtil.get(pageContext, "message.category.delete.failed.has.dependencies") %>';
-                            var t = new dojox.timing.Timer();
-                            t.setInterval(5000);
-                            t.onTick = function() {
-                                dojo.byId("warningDiv").innerHTML = '';
-                                t.stop();
-                            }
-                            t.start();
-                        } else if (result==2) {
+                fetch('/api/v1/categories', {
+                    method: 'DELETE',
+                    cache: 'no-cache',
+                    headers: {'Content-Type': 'application/json'},
+                    body: JSON.stringify(inodes)
+                })
+                .then(function(r) { return r.json(); })
+                .then(function(data) {
+                    var result = data.entity;
+                    if (result && result.fails && result.fails.length > 0) {
+                        dojo.byId("warningDiv").innerHTML = '<%= LanguageUtil.get(pageContext, "message.category.delete.failed.has.dependencies") %>';
+                        var t = new dojox.timing.Timer();
+                        t.setInterval(5000);
+                        t.onTick = function() {
                             dojo.byId("warningDiv").innerHTML = '';
+                            t.stop();
                         }
-
-                        grid.selection.clear();
-                        doSearch(false, true);
-                        dia.hide();
+                        t.start();
+                    } else {
+                        dojo.byId("warningDiv").innerHTML = '';
                     }
+                    grid.selection.clear();
+                    doSearch(false, true);
+                    dia.hide();
+                })
+                .catch(function(error) {
+                    console.error('Error deleting categories:', error);
+                    dia.hide();
                 });
             };
         }
@@ -695,41 +727,74 @@
         var key = dojo.byId(prefix+"CatKey").value;
         var keywords = dojo.byId(prefix+"CatKeywords").value;
 
-        CategoryAjax.saveOrUpdateCategory(save, currentInodeOrIdentifier, name, velVar, key, keywords, {
-            callback:function(result) {
-                doSearch(false, true);
-                grid.selection.clear();
-
-                var message = "";
-                var messageStyle = "color:green; font-size:11px;";
+        var requestBody;
+        var requestMethod;
+        var requestUrl = '/api/v1/categories';
+
+        if (save) {
+            requestMethod = 'POST';
+            requestBody = {
+                categoryName: name,
+                categoryVelocityVarName: velVar,
+                key: key,
+                keywords: keywords,
+                parent: currentInodeOrIdentifier || null
+            };
+        } else {
+            requestMethod = 'PUT';
+            requestBody = {
+                inode: currentInodeOrIdentifier,
+                categoryName: name,
+                categoryVelocityVarName: velVar,
+                key: key,
+                keywords: keywords
+            };
+        }
 
-                switch (result) {
-                    case 0:
-                        message = `<%= LanguageUtil.get(pageContext, "message.category.add") %>`;
-                        clearAddDialog();
-                        if(!save) {
-                            message = `<%= LanguageUtil.get(pageContext, "message.category.update") %>`;
-                            showDotCMSSystemMessage(message);
-                        }
-                        break;
-                    case 1:
-                        message = `<%= LanguageUtil.get(pageContext, "message.category.permission.error") %>`;
-                        messageStyle = "color:red; font-size:11px;";
-                        error = true;
-						if(!save) {
-							showDotCMSSystemMessage(message);
-						}
-                        break;
-                    case 2:
+        fetch(requestUrl, {
+            method: requestMethod,
+            cache: 'no-cache',
+            headers: {'Content-Type': 'application/json'},
+            body: JSON.stringify(requestBody)
+        })
+        .then(function(r) {
+            if (r.status === 403) {
+                return r.json().then(function() {
+                    var message = `<%= LanguageUtil.get(pageContext, "message.category.permission.error") %>`;
+                    dojo.byId("savedMessage").innerHTML = message;
+                    dojo.byId("savedMessage").style = "color:red; font-size:11px;";
+                    if (!save) { showDotCMSSystemMessage(message); }
+                });
+            }
+            if (!r.ok) {
+                return r.json().then(function(errData) {
+                    var errMsg = (errData && errData.message) ? errData.message : '';
+                    var message;
+                    if (errMsg.indexOf('taken') !== -1 || errMsg.indexOf('key') !== -1) {
                         message = `<%= LanguageUtil.get(pageContext, "error.category.folder.taken") %>`;
-                        messageStyle = "color:red; font-size:11px;";
-                        break;
-                    default:
+                    } else {
+                        message = errMsg || `<%= LanguageUtil.get(pageContext, "error.category.folder.taken") %>`;
+                    }
+                    dojo.byId("savedMessage").innerHTML = message;
+                    dojo.byId("savedMessage").style = "color:red; font-size:11px;";
+                });
+            }
+            return r.json().then(function() {
+                doSearch(false, true);
+                grid.selection.clear();
+                var message = `<%= LanguageUtil.get(pageContext, "message.category.add") %>`;
+                if (!save) {
+                    message = `<%= LanguageUtil.get(pageContext, "message.category.update") %>`;
+                    showDotCMSSystemMessage(message);
+                } else {
+                    clearAddDialog();
                 }
-
                 dojo.byId("savedMessage").innerHTML = message;
-                dojo.byId("savedMessage").style = messageStyle;
-            }
+                dojo.byId("savedMessage").style = "color:green; font-size:11px;";
+            });
+        })
+        .catch(function(error) {
+            console.error('Error saving category:', error);
         });
     }
 
@@ -741,21 +806,36 @@
     }
 
     function importCategories() {
-        var file = dwr.util.getValue('uploadFile');
+        var fileInput = document.getElementById('uploadFile');
         var filter = dojo.byId("catFilter").value;
         var merge = dojo.byId("radioTwo");
         var exportType = "replace";
 
-        if(merge.checked) {
+        if (merge.checked) {
             exportType = "merge";
         }
 
-        CategoryAjax.importCategories(currentInodeOrIdentifier, filter, file, exportType, function(result) {
-            var dia = dijit.byId('importCategoriesOptions');
+        if (!fileInput || !fileInput.files || fileInput.files.length === 0) {
+            console.error('No file selected for import');
+            return;
+        }
 
-            if(result==0) {
-                dojo.byId("warningDiv").innerHTML = '';
-            }  else if (result==1) {
+        var formData = new FormData();
+        formData.append('file', fileInput.files[0]);
+        formData.append('filter', filter || '');
+        formData.append('exportType', exportType);
+        formData.append('contextInode', currentInodeOrIdentifier || '');
+
+        fetch('/api/v1/categories/_import', {
+            method: 'POST',
+            cache: 'no-cache',
+            body: formData
+        })
+        .then(function(r) { return r.json(); })
+        .then(function(data) {
+            var dia = dijit.byId('importCategoriesOptions');
+            var result = data.entity;
+            if (result && result.fails && result.fails.length > 0) {
                 dojo.byId("warningDiv").innerHTML = `<%= LanguageUtil.get(pageContext, "message.category.delete.failed.has.dependencies") %>`;
                 var t = new dojox.timing.Timer();
                 t.setInterval(5000);
@@ -764,11 +844,15 @@
                     t.stop();
                 }
                 t.start();
+            } else {
+                dojo.byId("warningDiv").innerHTML = '';
             }
-
             dia.hide();
             doSearch(false, true);
             grid.selection.clear();
+        })
+        .catch(function(error) {
+            console.error('Error importing categories:', error);
         });
     }
 
diff --git a/dotCMS/src/main/webapp/html/portlet/ext/categories/view_categories_dialog.jsp b/dotCMS/src/main/webapp/html/portlet/ext/categories/view_categories_dialog.jsp
index 585223d37601..b646d23badc6 100644
--- a/dotCMS/src/main/webapp/html/portlet/ext/categories/view_categories_dialog.jsp
+++ b/dotCMS/src/main/webapp/html/portlet/ext/categories/view_categories_dialog.jsp
@@ -41,8 +41,6 @@
 }
 
 </style>
-<script type="text/javascript" src="/dwr/interface/CategoryAjax.js"></script>
-
 <script type="text/javascript">
 	dojo.require("dojox.grid.enhanced.plugins.Pagination");
 	dojo.require('dijit.layout.ContentPane');
diff --git a/dotCMS/src/main/webapp/html/portlet/ext/common/edit_permissions_tab_js_inc.jsp b/dotCMS/src/main/webapp/html/portlet/ext/common/edit_permissions_tab_js_inc.jsp
index af42406c502e..72e8431c9cdf 100644
--- a/dotCMS/src/main/webapp/html/portlet/ext/common/edit_permissions_tab_js_inc.jsp
+++ b/dotCMS/src/main/webapp/html/portlet/ext/common/edit_permissions_tab_js_inc.jsp
@@ -17,7 +17,220 @@
 <%@ page import="com.dotmarketing.portlets.rules.model.Rule" %>
 <%@ page import="com.dotmarketing.portlets.templates.design.bean.TemplateLayout" %>
 
-<script type="text/javascript" src="/dwr/interface/PermissionAjax.js"></script>
+<script type="text/javascript">
+// DWR-to-REST compatibility layer for PermissionAjax
+var PermissionAjax = (function () {
+
+    var PERM_BIT = {
+        READ: 1,
+        WRITE: 2,
+        PUBLISH: 4,
+        EDIT_PERMISSIONS: 8,
+        CAN_ADD_CHILDREN: 16
+    };
+
+    var SCOPE_TO_CLASS = {
+        HOST: 'com.dotmarketing.beans.Host',
+        FOLDER: 'com.dotmarketing.portlets.folders.model.Folder',
+        CONTAINER: 'com.dotmarketing.portlets.containers.model.Container',
+        TEMPLATE: 'com.dotmarketing.portlets.templates.model.Template',
+        TEMPLATE_LAYOUT: 'com.dotmarketing.portlets.templates.design.bean.TemplateLayout',
+        PAGE: 'com.dotmarketing.portlets.htmlpageasset.model.IHTMLPage',
+        LINK: 'com.dotmarketing.portlets.links.model.Link',
+        CONTENT: 'com.dotmarketing.portlets.contentlet.model.Contentlet',
+        STRUCTURE: 'com.dotmarketing.portlets.structure.model.Structure',
+        CATEGORY: 'com.dotmarketing.portlets.categories.model.Category',
+        RULES: 'com.dotmarketing.portlets.rules.model.Rule'
+    };
+
+    // Maps the field names used by applyPermissionChanges() to REST scope names.
+    // Includes both singular and plural variants used across different callers.
+    var FIELD_TO_SCOPE = {
+        foldersPermission: 'FOLDER',
+        containersPermission: 'CONTAINER',
+        templatesPermission: 'TEMPLATE',
+        templateLayoutsPermission: 'TEMPLATE_LAYOUT',
+        pagesPermission: 'PAGE',
+        linksPermission: 'LINK',
+        contentPermission: 'CONTENT',
+        structurePermission: 'STRUCTURE',
+        categoriesPermissions: 'CATEGORY',
+        rulesPermissions: 'RULES',
+        rulesPermission: 'RULES'
+    };
+
+    function namesToBits(nameArray) {
+        var bits = 0;
+        if (!nameArray) return bits;
+        nameArray.forEach(function (p) {
+            if (PERM_BIT[p] !== undefined) bits |= PERM_BIT[p];
+        });
+        return bits;
+    }
+
+    function resolveCallback(callbackConfig) {
+        if (typeof callbackConfig === 'function') {
+            return { fn: callbackConfig, scope: window };
+        }
+        return { fn: callbackConfig.callback, scope: callbackConfig.scope || window };
+    }
+
+    return {
+
+        getAssetPermissions: function (assetId, languageId, callbackConfig) {
+            var cb = resolveCallback(callbackConfig);
+            var langParam = languageId ? '&languageId=' + encodeURIComponent(languageId) : '';
+            fetch('/api/v1/permissions/' + encodeURIComponent(assetId) + '?per_page=100' + langParam, { cache: 'no-cache' })
+                .then(function (r) { return r.json(); })
+                .then(function (data) {
+                    var entity = data.entity || {};
+                    var permissions = entity.permissions || [];
+                    var dwrRoles = permissions.map(function (rp) {
+                        var role = {
+                            id: rp.roleId,
+                            name: rp.roleName,
+                            inherited: !!rp.inherited,
+                            inheritedFromType: rp.inheritedFromType || '',
+                            inheritedFromPath: rp.inheritedFromPath || '',
+                            inheritedFromId: rp.inheritedFromId || '',
+                            editPermissions: true,
+                            locked: false,
+                            permissions: []
+                        };
+                        // Merge all permission types into "individual" to match DWR behavior.
+                        // DWR's getAssetPermissions() forced ALL permissions from getPermissions()
+                        // to type="individual", so roles with only inheritable-type permissions
+                        // (e.g., FOLDER READ) still had their bits in the "individual" bucket.
+                        var allBits = namesToBits(rp.individual);
+                        var inheritable = rp.inheritable || {};
+                        Object.keys(inheritable).forEach(function (scope) {
+                            allBits |= namesToBits(inheritable[scope]);
+                        });
+                        if (allBits > 0) {
+                            role.permissions.push({
+                                type: 'individual',
+                                permission: allBits,
+                                inode: entity.assetId
+                            });
+                        }
+                        // Also add scope-specific entries for inheritable permissions
+                        // (these come from the separate getInheritablePermissions() call in the DWR)
+                        Object.keys(inheritable).forEach(function (scope) {
+                            var className = SCOPE_TO_CLASS[scope] || scope;
+                            role.permissions.push({
+                                type: className,
+                                permission: namesToBits(inheritable[scope]),
+                                inode: entity.assetId
+                            });
+                        });
+                        return role;
+                    });
+                    cb.fn.call(cb.scope, dwrRoles);
+                })
+                .catch(function (error) {
+                    console.error('PermissionAjax.getAssetPermissions failed:', error);
+                });
+        },
+
+        saveAssetPermissions: function (assetId, languageId, permissions, cascade, callbackConfig) {
+            function bitsToNames(bits) {
+                var names = [];
+                if (bits & PERM_BIT.READ) names.push('READ');
+                if (bits & PERM_BIT.WRITE) names.push('WRITE');
+                if (bits & PERM_BIT.PUBLISH) names.push('PUBLISH');
+                if (bits & PERM_BIT.EDIT_PERMISSIONS) names.push('EDIT_PERMISSIONS');
+                if (bits & PERM_BIT.CAN_ADD_CHILDREN) names.push('CAN_ADD_CHILDREN');
+                return names;
+            }
+
+            // Track which REST scopes have been mapped to avoid duplicates
+            // when both rulesPermission and rulesPermissions are present.
+            var restPermissions = permissions.map(function (p) {
+                var roleForm = { roleId: p.roleId, individual: [] };
+                if (p.individualPermission != null) {
+                    roleForm.individual = bitsToNames(parseInt(p.individualPermission) || 0);
+                }
+                var inheritable = {};
+                Object.keys(FIELD_TO_SCOPE).forEach(function (field) {
+                    if (p[field] != null) {
+                        var scope = FIELD_TO_SCOPE[field];
+                        if (!inheritable[scope]) {
+                            var names = bitsToNames(parseInt(p[field]) || 0);
+                            if (names.length > 0) {
+                                inheritable[scope] = names;
+                            }
+                        }
+                    }
+                });
+                if (Object.keys(inheritable).length > 0) {
+                    roleForm.inheritable = inheritable;
+                }
+                return roleForm;
+            });
+
+            var url = '/api/v1/permissions/' + encodeURIComponent(assetId) + '?cascade=' + (cascade ? 'true' : 'false');
+            if (languageId) url += '&languageId=' + encodeURIComponent(languageId);
+
+            fetch(url, {
+                method: 'PUT',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({ permissions: restPermissions }),
+                cache: 'no-cache'
+            })
+                .then(function (r) { return r.json(); })
+                .then(function () {
+                    if (typeof callbackConfig === 'function') {
+                        callbackConfig();
+                    } else if (callbackConfig && typeof callbackConfig.callback === 'function') {
+                        callbackConfig.callback.call(callbackConfig.scope || window);
+                    }
+                })
+                .catch(function (error) {
+                    console.error('PermissionAjax.saveAssetPermissions failed:', error);
+                });
+        },
+
+        permissionIndividually: function (assetId, languageId, callback) {
+            var url = '/api/v1/permissions/' + encodeURIComponent(assetId) + '/_individualpermission';
+            if (languageId) url += '?languageId=' + encodeURIComponent(languageId);
+            fetch(url, { method: 'PUT', cache: 'no-cache' })
+                .then(function (r) { return r.json(); })
+                .then(function () {
+                    if (typeof callback === 'function') callback();
+                })
+                .catch(function (error) {
+                    console.error('PermissionAjax.permissionIndividually failed:', error);
+                });
+        },
+
+        resetAssetPermissions: function (assetId, languageId, callback) {
+            var url = '/api/v1/permissions/' + encodeURIComponent(assetId) + '/_reset';
+            if (languageId) url += '?languageId=' + encodeURIComponent(languageId);
+            fetch(url, { method: 'PUT', cache: 'no-cache' })
+                .then(function (r) { return r.json(); })
+                .then(function () {
+                    if (typeof callback === 'function') callback();
+                })
+                .catch(function (error) {
+                    console.error('PermissionAjax.resetAssetPermissions failed:', error);
+                });
+        },
+
+        getAsset: function (inodeOrId, callbackConfig) {
+            var cb = resolveCallback(callbackConfig);
+            fetch('/api/v1/permissions/' + encodeURIComponent(inodeOrId) + '/_permissionable', { cache: 'no-cache' })
+                .then(function (r) { return r.json(); })
+                .then(function (data) {
+                    cb.fn.call(cb.scope, data.entity);
+                })
+                .catch(function (error) {
+                    console.error('PermissionAjax.getAsset failed:', error);
+                });
+        }
+
+    };
+}());
+</script>
 <script type="text/javascript" src="/html/js/dotcms/dijit/form/RolesFilteringSelect.js"></script>
 <script type="text/javascript"><!--
 
diff --git a/dotCMS/src/main/webapp/html/portlet/ext/common/edit_permissions_tab_js_inc_ajax.jsp b/dotCMS/src/main/webapp/html/portlet/ext/common/edit_permissions_tab_js_inc_ajax.jsp
index 3d5848e252da..c51657b99fdb 100644
--- a/dotCMS/src/main/webapp/html/portlet/ext/common/edit_permissions_tab_js_inc_ajax.jsp
+++ b/dotCMS/src/main/webapp/html/portlet/ext/common/edit_permissions_tab_js_inc_ajax.jsp
@@ -13,7 +13,211 @@
 <%@ page import="com.dotmarketing.portlets.rules.model.Rule" %>
 <%@ page import="com.dotmarketing.portlets.templates.design.bean.TemplateLayout" %>
 
-<script type="text/javascript" src="/dwr/interface/PermissionAjax.js"></script>
+<script type="text/javascript">
+// DWR-to-REST compatibility layer for PermissionAjax
+var PermissionAjax = (function () {
+
+    var PERM_BIT = {
+        READ: 1,
+        WRITE: 2,
+        PUBLISH: 4,
+        EDIT_PERMISSIONS: 8,
+        CAN_ADD_CHILDREN: 16
+    };
+
+    var SCOPE_TO_CLASS = {
+        HOST: 'com.dotmarketing.beans.Host',
+        FOLDER: 'com.dotmarketing.portlets.folders.model.Folder',
+        CONTAINER: 'com.dotmarketing.portlets.containers.model.Container',
+        TEMPLATE: 'com.dotmarketing.portlets.templates.model.Template',
+        TEMPLATE_LAYOUT: 'com.dotmarketing.portlets.templates.design.bean.TemplateLayout',
+        PAGE: 'com.dotmarketing.portlets.htmlpageasset.model.IHTMLPage',
+        LINK: 'com.dotmarketing.portlets.links.model.Link',
+        CONTENT: 'com.dotmarketing.portlets.contentlet.model.Contentlet',
+        STRUCTURE: 'com.dotmarketing.portlets.structure.model.Structure',
+        CATEGORY: 'com.dotmarketing.portlets.categories.model.Category',
+        RULES: 'com.dotmarketing.portlets.rules.model.Rule'
+    };
+
+    var FIELD_TO_SCOPE = {
+        foldersPermission: 'FOLDER',
+        containersPermission: 'CONTAINER',
+        templatesPermission: 'TEMPLATE',
+        templateLayoutsPermission: 'TEMPLATE_LAYOUT',
+        pagesPermission: 'PAGE',
+        linksPermission: 'LINK',
+        contentPermission: 'CONTENT',
+        structurePermission: 'STRUCTURE',
+        rulesPermission: 'RULES'
+    };
+
+    function namesToBits(nameArray) {
+        var bits = 0;
+        if (!nameArray) return bits;
+        nameArray.forEach(function (p) {
+            if (PERM_BIT[p] !== undefined) bits |= PERM_BIT[p];
+        });
+        return bits;
+    }
+
+    function resolveCallback(callbackConfig) {
+        if (typeof callbackConfig === 'function') {
+            return { fn: callbackConfig, scope: window };
+        }
+        return { fn: callbackConfig.callback, scope: callbackConfig.scope || window };
+    }
+
+    return {
+
+        getAssetPermissions: function (assetId, languageId, callbackConfig) {
+            var cb = resolveCallback(callbackConfig);
+            var langParam = languageId ? '&languageId=' + encodeURIComponent(languageId) : '';
+            fetch('/api/v1/permissions/' + encodeURIComponent(assetId) + '?per_page=100' + langParam, { cache: 'no-cache' })
+                .then(function (r) { return r.json(); })
+                .then(function (data) {
+                    var entity = data.entity || {};
+                    var permissions = entity.permissions || [];
+                    var dwrRoles = permissions.map(function (rp) {
+                        var role = {
+                            id: rp.roleId,
+                            name: rp.roleName,
+                            inherited: !!rp.inherited,
+                            inheritedFromType: rp.inheritedFromType || '',
+                            inheritedFromPath: rp.inheritedFromPath || '',
+                            inheritedFromId: rp.inheritedFromId || '',
+                            editPermissions: true,
+                            locked: false,
+                            permissions: []
+                        };
+                        // Merge all permission types into "individual" to match DWR behavior.
+                        // DWR's getAssetPermissions() forced ALL permissions from getPermissions()
+                        // to type="individual", so roles with only inheritable-type permissions
+                        // (e.g., FOLDER READ) still had their bits in the "individual" bucket.
+                        var allBits = namesToBits(rp.individual);
+                        var inheritable = rp.inheritable || {};
+                        Object.keys(inheritable).forEach(function (scope) {
+                            allBits |= namesToBits(inheritable[scope]);
+                        });
+                        if (allBits > 0) {
+                            role.permissions.push({
+                                type: 'individual',
+                                permission: allBits,
+                                inode: entity.assetId
+                            });
+                        }
+                        // Also add scope-specific entries for inheritable permissions
+                        // (these come from the separate getInheritablePermissions() call in the DWR)
+                        Object.keys(inheritable).forEach(function (scope) {
+                            var className = SCOPE_TO_CLASS[scope] || scope;
+                            role.permissions.push({
+                                type: className,
+                                permission: namesToBits(inheritable[scope]),
+                                inode: entity.assetId
+                            });
+                        });
+                        return role;
+                    });
+                    cb.fn.call(cb.scope, dwrRoles);
+                })
+                .catch(function (error) {
+                    console.error('PermissionAjax.getAssetPermissions failed:', error);
+                });
+        },
+
+        saveAssetPermissions: function (assetId, languageId, permissions, cascade, callbackConfig) {
+            function bitsToNames(bits) {
+                var names = [];
+                if (bits & PERM_BIT.READ) names.push('READ');
+                if (bits & PERM_BIT.WRITE) names.push('WRITE');
+                if (bits & PERM_BIT.PUBLISH) names.push('PUBLISH');
+                if (bits & PERM_BIT.EDIT_PERMISSIONS) names.push('EDIT_PERMISSIONS');
+                if (bits & PERM_BIT.CAN_ADD_CHILDREN) names.push('CAN_ADD_CHILDREN');
+                return names;
+            }
+
+            var restPermissions = permissions.map(function (p) {
+                var roleForm = { roleId: p.roleId, individual: [] };
+                if (p.individualPermission != null) {
+                    roleForm.individual = bitsToNames(parseInt(p.individualPermission) || 0);
+                }
+                var inheritable = {};
+                Object.keys(FIELD_TO_SCOPE).forEach(function (field) {
+                    if (p[field] != null) {
+                        var names = bitsToNames(parseInt(p[field]) || 0);
+                        if (names.length > 0) {
+                            inheritable[FIELD_TO_SCOPE[field]] = names;
+                        }
+                    }
+                });
+                if (Object.keys(inheritable).length > 0) {
+                    roleForm.inheritable = inheritable;
+                }
+                return roleForm;
+            });
+
+            var url = '/api/v1/permissions/' + encodeURIComponent(assetId) + '?cascade=' + (cascade ? 'true' : 'false');
+            if (languageId) url += '&languageId=' + encodeURIComponent(languageId);
+
+            fetch(url, {
+                method: 'PUT',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({ permissions: restPermissions }),
+                cache: 'no-cache'
+            })
+                .then(function (r) { return r.json(); })
+                .then(function () {
+                    if (typeof callbackConfig === 'function') {
+                        callbackConfig();
+                    } else if (callbackConfig && typeof callbackConfig.callback === 'function') {
+                        callbackConfig.callback.call(callbackConfig.scope || window);
+                    }
+                })
+                .catch(function (error) {
+                    console.error('PermissionAjax.saveAssetPermissions failed:', error);
+                });
+        },
+
+        permissionIndividually: function (assetId, languageId, callback) {
+            var url = '/api/v1/permissions/' + encodeURIComponent(assetId) + '/_individualpermission';
+            if (languageId) url += '?languageId=' + encodeURIComponent(languageId);
+            fetch(url, { method: 'PUT', cache: 'no-cache' })
+                .then(function (r) { return r.json(); })
+                .then(function () {
+                    if (typeof callback === 'function') callback();
+                })
+                .catch(function (error) {
+                    console.error('PermissionAjax.permissionIndividually failed:', error);
+                });
+        },
+
+        resetAssetPermissions: function (assetId, languageId, callback) {
+            var url = '/api/v1/permissions/' + encodeURIComponent(assetId) + '/_reset';
+            if (languageId) url += '?languageId=' + encodeURIComponent(languageId);
+            fetch(url, { method: 'PUT', cache: 'no-cache' })
+                .then(function (r) { return r.json(); })
+                .then(function () {
+                    if (typeof callback === 'function') callback();
+                })
+                .catch(function (error) {
+                    console.error('PermissionAjax.resetAssetPermissions failed:', error);
+                });
+        },
+
+        getAsset: function (inodeOrId, callbackConfig) {
+            var cb = resolveCallback(callbackConfig);
+            fetch('/api/v1/permissions/' + encodeURIComponent(inodeOrId) + '/_permissionable', { cache: 'no-cache' })
+                .then(function (r) { return r.json(); })
+                .then(function (data) {
+                    cb.fn.call(cb.scope, data.entity);
+                })
+                .catch(function (error) {
+                    console.error('PermissionAjax.getAsset failed:', error);
+                });
+        }
+
+    };
+}());
+</script>
 <script type="text/javascript" src="/html/js/dotcms/dijit/form/RolesFilteringSelect.js"></script>
 <script type="text/javascript"><!--
 
diff --git a/dotCMS/src/main/webapp/html/portlet/ext/contentlet/field/edit_field_js.jsp b/dotCMS/src/main/webapp/html/portlet/ext/contentlet/field/edit_field_js.jsp
index a7c3c1ca114e..2e33fbb49c2b 100644
--- a/dotCMS/src/main/webapp/html/portlet/ext/contentlet/field/edit_field_js.jsp
+++ b/dotCMS/src/main/webapp/html/portlet/ext/contentlet/field/edit_field_js.jsp
@@ -18,7 +18,6 @@
 <%@ page import="org.apache.commons.lang.StringUtils" %>
 
 <script type='text/javascript' src='/dwr/interface/StructureAjax.js'></script>
-<script type='text/javascript' src='/dwr/interface/CategoryAjax.js'></script>
 <script type='text/javascript' src='/dwr/interface/ContentletAjax.js'></script>
 <script type='text/javascript' src='/dwr/interface/TagAjax.js'></script>
 <script type='text/javascript' src='/dwr/interface/FileAssetAjax.js'></script>
diff --git a/dotCMS/src/main/webapp/html/portlet/ext/contentlet/view_contentlets.jsp b/dotCMS/src/main/webapp/html/portlet/ext/contentlet/view_contentlets.jsp
index 387e4ea0a433..6c31cbe76455 100644
--- a/dotCMS/src/main/webapp/html/portlet/ext/contentlet/view_contentlets.jsp
+++ b/dotCMS/src/main/webapp/html/portlet/ext/contentlet/view_contentlets.jsp
@@ -216,7 +216,6 @@
 <jsp:include page="/html/portlet/ext/folders/context_menus_js.jsp" />
 <script type='text/javascript' src='/html/js/scriptaculous/prototype.js'></script>
 <script type='text/javascript' src='/dwr/interface/StructureAjax.js'></script>
-<script type='text/javascript' src='/dwr/interface/CategoryAjax.js'></script>
 <script type='text/javascript' src='/dwr/interface/ContentletAjax.js'></script>
 <script type='text/javascript' src='/dwr/interface/TagAjax.js'></script>
 
diff --git a/dotCMS/src/main/webapp/html/portlet/ext/contentlet/view_contentlets_js_inc.jsp b/dotCMS/src/main/webapp/html/portlet/ext/contentlet/view_contentlets_js_inc.jsp
index 82da98a746d6..6134d451c305 100644
--- a/dotCMS/src/main/webapp/html/portlet/ext/contentlet/view_contentlets_js_inc.jsp
+++ b/dotCMS/src/main/webapp/html/portlet/ext/contentlet/view_contentlets_js_inc.jsp
@@ -1387,7 +1387,12 @@ final String calendarEventInode = null!=calendarEventSt ? calendarEventSt.inode(
                         var selectId = cat["categoryName"].replace(/[^A-Za-z0-9_]/g, "") + "Select";
                         var mycallbackfnc = function(data) { fillCategorySelect(selectId, data); }
 
-                        CategoryAjax.getSubCategories(cat["inode"], '', { callback: mycallbackfnc, async: false });
+                        (function(cb) {
+                            fetch('/api/v1/categories/children?inode=' + encodeURIComponent(cat["inode"]) + '&allLevels=true&per_page=1000', {cache: 'no-cache'})
+                                .then(function(r) { return r.json(); })
+                                .then(function(data) { cb(data.entity || []); })
+                                .catch(function(error) { console.error('Error loading subcategories:', error); cb([]); });
+                        })(mycallbackfnc);
                 }
         }
 
diff --git a/dotCMS/src/main/webapp/html/portlet/ext/contentlet/view_contentlets_popup.jsp b/dotCMS/src/main/webapp/html/portlet/ext/contentlet/view_contentlets_popup.jsp
index 3f539e0b3f38..c8e6b10224f3 100644
--- a/dotCMS/src/main/webapp/html/portlet/ext/contentlet/view_contentlets_popup.jsp
+++ b/dotCMS/src/main/webapp/html/portlet/ext/contentlet/view_contentlets_popup.jsp
@@ -22,7 +22,6 @@
 
 
 <script type='text/javascript' src='/dwr/interface/StructureAjax.js'></script>
-<script type='text/javascript' src='/dwr/interface/CategoryAjax.js'></script>
 <script type='text/javascript' src='/dwr/interface/ContentletAjax.js'></script>
 <script type='text/javascript' src='/dwr/engine.js'></script>
 <script type='text/javascript' src='/dwr/util.js'></script>
@@ -310,7 +309,12 @@ function renderSearchField (field) {
 			var cat = categories[i];
 			var selectId = cat["categoryName"].replace(/[^A-Za-z0-9_]/, "") + "Select";
 			var mycallbackfnc = function(data) { fillCategorySelect(selectId, data); }
-			CategoryAjax.getSubCategories(cat["inode"], '', { callback: mycallbackfnc, async: false });
+			(function(cb) {
+				fetch('/api/v1/categories/children?inode=' + encodeURIComponent(cat["inode"]) + '&allLevels=true&per_page=1000', {cache: 'no-cache'})
+					.then(function(r) { return r.json(); })
+					.then(function(data) { cb(data.entity || []); })
+					.catch(function(error) { console.error('Error loading subcategories:', error); cb([]); });
+			})(mycallbackfnc);
 		}
 	}
 	
diff --git a/dotCMS/src/main/webapp/html/portlet/ext/files/upload_multiple_js_inc.jsp b/dotCMS/src/main/webapp/html/portlet/ext/files/upload_multiple_js_inc.jsp
index eec97488728b..248d3f324312 100644
--- a/dotCMS/src/main/webapp/html/portlet/ext/files/upload_multiple_js_inc.jsp
+++ b/dotCMS/src/main/webapp/html/portlet/ext/files/upload_multiple_js_inc.jsp
@@ -3,7 +3,6 @@
 
 <%@page import="com.dotmarketing.util.UtilMethods" %>
 
-<script src="/dwr/interface/HostAjax.js" type="text/javascript"></script>
 <script src="/html/js/scriptaculous/prototype.js" type="text/javascript"></script>
 <script src="/html/js/scriptaculous/scriptaculous.js" type="text/javascript"></script>
 
diff --git a/dotCMS/src/main/webapp/html/portlet/ext/fileupload/upload_multiple_js_inc.jsp b/dotCMS/src/main/webapp/html/portlet/ext/fileupload/upload_multiple_js_inc.jsp
index 3f1dc87c22cf..e0100ef254df 100644
--- a/dotCMS/src/main/webapp/html/portlet/ext/fileupload/upload_multiple_js_inc.jsp
+++ b/dotCMS/src/main/webapp/html/portlet/ext/fileupload/upload_multiple_js_inc.jsp
@@ -3,7 +3,6 @@
 
 <%@page import="com.dotmarketing.util.UtilMethods" %>
 
-<script src="/dwr/interface/HostAjax.js" type="text/javascript"></script>
 <script src="/html/js/scriptaculous/prototype.js" type="text/javascript"></script>
 <script src="/html/js/scriptaculous/scriptaculous.js" type="text/javascript"></script>
 
diff --git a/dotCMS/src/main/webapp/html/portlet/ext/hostadmin/view_hosts_js_inc.jsp b/dotCMS/src/main/webapp/html/portlet/ext/hostadmin/view_hosts_js_inc.jsp
index 28b76fd05f1a..0ca747ea19bd 100644
--- a/dotCMS/src/main/webapp/html/portlet/ext/hostadmin/view_hosts_js_inc.jsp
+++ b/dotCMS/src/main/webapp/html/portlet/ext/hostadmin/view_hosts_js_inc.jsp
@@ -229,7 +229,12 @@
                 this.gotoCreateHost();
             }
             else {
-				HostAjax.findAllHostThumbnails(dojo.hitch(this, this.goToStep2Callback));
+                fetch('/api/v1/site/thumbnails', {cache: 'no-cache'})
+                    .then(function(response) { return response.json(); })
+                    .then(dojo.hitch(this, function(data) {
+                        this.goToStep2Callback(data.entity);
+                    }))
+                    .catch(function(error) { console.error('Error loading host thumbnails:', error); });
             }
 
         },
@@ -357,42 +362,28 @@
         refreshHostTable: function(){
             var filter = dijit.byId('filter').attr('value');
             var showDeleted = dijit.byId('showDeleted').attr('checked');
-            var offset = (this.currentPage - 1) * this.RESULTS_PER_PAGE;
+            var page = this.currentPage;
             var count = this.RESULTS_PER_PAGE;
-            HostAjax.findHostsPaginated(filter, showDeleted, offset, count, dojo.hitch(this, this.refreshHostTableCallback));
+            var url = '/api/v1/site?filter=' + encodeURIComponent(filter) + '&archived=' + showDeleted + '&page=' + page + '&per_page=' + count;
+            fetch(url, {cache: 'no-cache'})
+                .then(dojo.hitch(this, function(response) {
+                    var total = parseInt(response.headers.get('X-Pagination-Total-Entries') || '0', 10);
+                    return response.json().then(dojo.hitch(this, function(data) {
+                        this.refreshHostTableCallback(data.entity, total);
+                    }));
+                }))
+                .catch(function(error) { console.error('Error loading hosts:', error); });
         },
-        refreshHostTableCallback: function(data){
+        refreshHostTableCallback: function(list, total){
             //Clearing up the table
-            DWRUtil.removeAllRows(dojo.byId('hostsTableHeader'));
-            DWRUtil.removeAllRows(dojo.byId('hostsTableBody'));
+            dojo.byId('hostsTableHeader').innerHTML = '';
+            dojo.byId('hostsTableBody').innerHTML = '';
             dojo.byId('hostContextMenues').innerHTML = '';
 
-            //Data variables
-            var total = data.total;
-            var list = data.list;
-            var structure = data.strucuture;
-            var fields = data.fields;
-
-            //Adding the headers to the table
-            var hostNameField;
-            var columnsHTML = '';
-            var listedFields = [];
-
-            for (var i = 0; i < fields.length; i++) {
-                var field = fields[i];
-                if (field.fieldVelocityVarName == 'hostName') {
-                    hostNameField = field;
-                    continue;
-                }
-
-                if (field.fieldListed) {
-                    columnsHTML += dojo.replace(this.tableHeaderColumnTemplate, field);
-                    listedFields.push(field);
-                }
-            }
+            //Adding the headers to the table - use known fixed columns for hosts
             var headersHTML = dojo.replace(this.tableHeaderRowTemplate, {
-                hostNameHeader: hostNameField.fieldName,
-                headerColumns: columnsHTML
+                hostNameHeader: 'Host Name',
+                headerColumns: dojo.replace(this.tableHeaderColumnTemplate, {fieldName: 'Aliases'})
             });
             dojo.place(headersHTML, 'hostsTableHeader', 'last');
 
@@ -400,30 +391,24 @@
             for (var i = 0; i < list.length; i++) {
 
                 var content = list[i];
-                var rowColumnsHTML = '';
-
-                for (var j = 0; j < listedFields.length; j++) {
-                    var field = listedFields[j];
-                    var value = content[field.fieldVelocityVarName] == null?'':content[field.fieldVelocityVarName];
-                    if(field.fieldVelocityVarName == 'aliases')
-                        value = value.replace(/\n/g, '<br/>');
-                    rowColumnsHTML += dojo.replace(this.tableRowColumnTemplate, {
-                        value: value == null?"":value
-                    });
-                }
+
+                // Normalize REST response field names to match what the templates expect
+                content.hostName = content.hostname || content.hostName || '';
+                content.workingInode = content.inode || content.workingInode || '';
+
+                var aliasValue = (content.aliases || '').replace(/\n/g, '<br/>');
+                var rowColumnsHTML = dojo.replace(this.tableRowColumnTemplate, { value: aliasValue });
 
                 if(content.isDefault && content.live)
                     content.imgSrc = 'hostDefaultIcon';
                 else if (content.live)
                     content.imgSrc = 'hostIcon';
                 else if(content.archived)
-					content.imgSrc = 'hostArchivedIcon';
+                    content.imgSrc = 'hostArchivedIcon';
                 else
                     content.imgSrc = 'hostStoppedIcon';
                 if(content.isDefault)
-                	content.hostName = '<b>' + content[hostNameField.fieldVelocityVarName] + ' (<%= LanguageUtil.get(pageContext, "Default") %>)</b>';
-                else
-                	content.hostName = content[hostNameField.fieldVelocityVarName];
+                    content.hostName = '<b>' + (content.hostname || content.hostName || '') + ' (<%= LanguageUtil.get(pageContext, "Default") %>)</b>';
                 content.rowColumns = rowColumnsHTML;
 
                 var rowHTML = dojo.replace(this.tableRowTemplate, content);
@@ -433,12 +418,12 @@
                 dijit.registry.remove(content.identifier + "SetupProgress");
                 dojo.parser.parse("row" + content.identifier);
                 if(content.hostInSetup) {
-                	dojo.attr(content.identifier + "SetupProgress",'style','display:block;width:100px;');
+                    dojo.attr(content.identifier + "SetupProgress",'style','display:block;width:100px;');
                     setTimeout(dojo.hitch(this, this.checkSetupProgress, content.identifier), 1000);
                 }
 
                 //Checking the status and permission to stop, start, edit and delete a host
-				var menuesHTML = '';
+                var menuesHTML = '';
                 if (dojo.indexOf(content.userPermissions, 2) > 0  && content.archived == false) {
                     menuesHTML += dojo.replace(this.tableEditRowMenuTemplate, content);
                 }
@@ -534,7 +519,12 @@
 
         },
         checkSetupProgress: function(hostIdentifier){
-			HostAjax.getHostSetupProgress(hostIdentifier, dojo.hitch(this, this.checkSetupProgressCallback, hostIdentifier));
+            fetch('/api/v1/site/' + hostIdentifier + '/setup_progress', {cache: 'no-cache'})
+                .then(function(response) { return response.json(); })
+                .then(dojo.hitch(this, function(data) {
+                    this.checkSetupProgressCallback(hostIdentifier, data.entity);
+                }))
+                .catch(function(error) { console.error('Error checking setup progress:', error); });
         },
         checkSetupProgressCallback: function(hostIdentifier, progress){
 			if(progress < 0 || progress >= 100)
@@ -552,15 +542,15 @@
 			}
         },
         filterHosts: function(){
-        	DWRUtil.removeAllRows(dojo.byId('hostsTableHeader'));
-		    DWRUtil.removeAllRows(dojo.byId('hostsTableBody'));
+        	dojo.byId('hostsTableHeader').innerHTML = '';
+		    dojo.byId('hostsTableBody').innerHTML = '';
 		    dojo.byId('resultsSummary').innerHTML = this.tableLoadingTemplate;
             clearTimeout(this.filterHandler);
             this.filterHandler = setTimeout(dojo.hitch(this, this.refreshHostTable), 700);
         },
         clearFilter: function(){
-        	DWRUtil.removeAllRows(dojo.byId('hostsTableHeader'));
-		    DWRUtil.removeAllRows(dojo.byId('hostsTableBody'));
+        	dojo.byId('hostsTableHeader').innerHTML = '';
+		    dojo.byId('hostsTableBody').innerHTML = '';
 		    dojo.byId('resultsSummary').innerHTML = this.tableLoadingTemplate;
         	dijit.byId('showDeleted').attr('checked', false);
             dijit.byId('filter').attr('value', '');
@@ -583,7 +573,10 @@
 		},
 		publishHost: function (id) {
 			if(confirm(publishConfirmMessage)) {
-				HostAjax.publishHost(id, dojo.hitch(this, this.refreshHostTable));
+				fetch('/api/v1/site/' + id + '/_publish', {method: 'PUT', cache: 'no-cache'})
+					.then(function(response) { return response.json(); })
+					.then(dojo.hitch(this, this.refreshHostTable))
+					.catch(function(error) { console.error('Error publishing host:', error); });
 			}
 		},
 		remotePublish: function (id) {
@@ -594,42 +587,55 @@
 		},
 		unpublishHost: function (id) {
 			if(confirm(unpublishConfirmMessage)) {
-				HostAjax.unpublishHost(id, dojo.hitch(this, this.refreshHostTable));
+				fetch('/api/v1/site/' + id + '/_unpublish', {method: 'PUT', cache: 'no-cache'})
+					.then(function(response) { return response.json(); })
+					.then(dojo.hitch(this, this.refreshHostTable))
+					.catch(function(error) { console.error('Error unpublishing host:', error); });
 			}
 		},
 		archiveHost: function (id) {
 			if(confirm(archiveConfirmMessage)) {
-				HostAjax.archiveHost(id, dojo.hitch(this, this.refreshHostTable));
+				fetch('/api/v1/site/' + id + '/_archive', {method: 'PUT', cache: 'no-cache'})
+					.then(function(response) { return response.json(); })
+					.then(dojo.hitch(this, this.refreshHostTable))
+					.catch(function(error) { console.error('Error archiving host:', error); });
 			}
 		},
 		unarchiveHost: function (id) {
 			if(confirm(unarchiveConfirmMessage)) {
-				HostAjax.unarchiveHost(id, dojo.hitch(this, this.refreshHostTable));
+				fetch('/api/v1/site/' + id + '/_unarchive', {method: 'PUT', cache: 'no-cache'})
+					.then(function(response) { return response.json(); })
+					.then(dojo.hitch(this, this.refreshHostTable))
+					.catch(function(error) { console.error('Error unarchiving host:', error); });
 			}
 		},
 		deleteHost: function (id) {
 			if(confirm(deleteConfirmMessage)) {
-				DWRUtil.removeAllRows(dojo.byId('hostsTableHeader'));
-			    DWRUtil.removeAllRows(dojo.byId('hostsTableBody'));
+				dojo.byId('hostsTableHeader').innerHTML = '';
+			    dojo.byId('hostsTableBody').innerHTML = '';
 			    dojo.byId('resultsSummary').innerHTML = this.tableLoadingTemplate;
 			    setTimeout(dojo.hitch(this, this.refreshAfterDelete, id), 1000);
-				HostAjax.deleteHost(id, dojo.hitch(this, this.refreshHostTable));
+				fetch('/api/v1/site/' + id, {method: 'DELETE', cache: 'no-cache'})
+					.then(function(response) { return response.json(); })
+					.then(dojo.hitch(this, this.refreshHostTable))
+					.catch(function(error) { console.error('Error deleting host:', error); });
 			}
 		},
         refreshAfterDelete: function(identifier){
             var filter = dijit.byId('filter').attr('value');
             var showDeleted = dijit.byId('showDeleted').attr('checked');
-            var offset = (this.currentPage - 1) * this.RESULTS_PER_PAGE;
+            var page = this.currentPage;
             var count = this.RESULTS_PER_PAGE;
-            var callMetaData = {
-            		  callback:dojo.hitch(this, this.refreshAfterDeleteCallback),
-            		  arg: identifier
-            		};
-            HostAjax.findHostsPaginated(filter, showDeleted, offset, count, callMetaData);
+            var url = '/api/v1/site?filter=' + encodeURIComponent(filter) + '&archived=' + showDeleted + '&page=' + page + '&per_page=' + count;
+            fetch(url, {cache: 'no-cache'})
+                .then(function(response) { return response.json(); })
+                .then(dojo.hitch(this, function(data) {
+                    this.refreshAfterDeleteCallback(data.entity, identifier);
+                }))
+                .catch(function(error) { console.error('Error refreshing hosts after delete:', error); });
         },
-        refreshAfterDeleteCallback: function(data, identifier){
-            var list = data.list;
-			var isDeletionDone = true;
+        refreshAfterDeleteCallback: function(list, identifier){
+            var isDeletionDone = true;
             for (var i = 0; i < list.length; i++) {
                 if(list[i]["identifier"] == identifier)
                 	isDeletionDone = false;
@@ -651,10 +657,13 @@
         },
 		makeDefault: function (id) {
 			if(confirm(makeDefaultConfirmMessage)) {
-				DWRUtil.removeAllRows(dojo.byId('hostsTableHeader'));
-			    DWRUtil.removeAllRows(dojo.byId('hostsTableBody'));
+				dojo.byId('hostsTableHeader').innerHTML = '';
+			    dojo.byId('hostsTableBody').innerHTML = '';
 			    dojo.byId('resultsSummary').innerHTML = this.tableLoadingTemplate;
-				HostAjax.makeDefault(id, dojo.hitch(this, this.refreshHostTable));
+				fetch('/api/v1/site/' + id + '/_makedefault', {method: 'PUT', cache: 'no-cache'})
+					.then(function(response) { return response.json(); })
+					.then(dojo.hitch(this, this.refreshHostTable))
+					.catch(function(error) { console.error('Error making host default:', error); });
 			}
 		}
 

From a82d513d07d4ef26975ea8804843e936ddb72f4f Mon Sep 17 00:00:00 2001
From: Will Ezell <will@dotcms.com>
Date: Fri, 27 Feb 2026 10:25:40 -0500
Subject: [PATCH 2/4] test(dwr) #34797: add integration tests for
 PermissionResource REST endpoint

Adds 31 new integration tests covering the previously untested endpoints:
GET /{assetId}, PUT /role/{roleId}/asset/{assetId}, PUT /{assetId}/_individualpermission,
GET /{assetId}/_permissionable, GET /_bypermissiontype, and GET /_bycontent.
Includes security boundary, pagination, roundtrip, and error case coverage.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .../PermissionResourceIntegrationTest.java    | 682 ++++++++++++++++++
 1 file changed, 682 insertions(+)

diff --git a/dotcms-integration/src/test/java/com/dotcms/rest/api/v1/system/permission/PermissionResourceIntegrationTest.java b/dotcms-integration/src/test/java/com/dotcms/rest/api/v1/system/permission/PermissionResourceIntegrationTest.java
index 16c2263ba9c3..2fc5ee4a6ae9 100644
--- a/dotcms-integration/src/test/java/com/dotcms/rest/api/v1/system/permission/PermissionResourceIntegrationTest.java
+++ b/dotcms-integration/src/test/java/com/dotcms/rest/api/v1/system/permission/PermissionResourceIntegrationTest.java
@@ -1,12 +1,17 @@
 package com.dotcms.rest.api.v1.system.permission;
 
 import com.dotcms.api.web.HttpServletRequestThreadLocal;
+import com.dotcms.contenttype.exception.NotFoundInDbException;
+import com.dotcms.datagen.ContentTypeDataGen;
+import com.dotcms.datagen.ContentletDataGen;
 import com.dotcms.datagen.FolderDataGen;
 import com.dotcms.datagen.RoleDataGen;
 import com.dotcms.datagen.SiteDataGen;
+import com.dotcms.datagen.TemplateDataGen;
 import com.dotcms.datagen.TestUserUtils;
 import com.dotcms.datagen.UserDataGen;
 import com.dotcms.rest.ResponseEntityPaginatedDataView;
+import com.dotcms.rest.ResponseEntityStringView;
 import com.dotcms.rest.exception.ConflictException;
 import com.dotcms.mock.request.MockAttributeRequest;
 import com.dotcms.mock.request.MockHeaderRequest;
@@ -20,12 +25,15 @@
 import com.dotmarketing.business.PermissionAPI;
 import com.dotmarketing.business.Role;
 import com.dotcms.rest.exception.BadRequestException;
+import com.dotmarketing.portlets.contentlet.model.Contentlet;
 import com.dotmarketing.portlets.folders.model.Folder;
+import com.dotmarketing.portlets.templates.model.Template;
 import com.liferay.portal.ejb.UserTestUtil;
 import com.liferay.portal.model.User;
 import com.liferay.portal.util.WebKeys;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.ws.rs.core.Response;
 import com.liferay.util.Base64;
 import static org.junit.Assert.*;
 import java.util.ArrayList;
@@ -1412,4 +1420,678 @@ public void test_getRolePermissions_responseStructure() throws DotDataException,
         }
         assertTrue("Should find the test folder in assets", foundFolder);
     }
+
+    // ==================== GET Asset Permissions Tests ====================
+
+    /**
+     * <ul>
+     *     <li><b>Method to test:</b> {@link PermissionResource#getAssetPermissions}</li>
+     *     <li><b>Given Scenario:</b> Admin user requests permissions for a host.</li>
+     *     <li><b>Expected Result:</b> Returns asset metadata (assetId, assetType, inheritanceMode)
+     *     and a paginated list of role permissions.</li>
+     * </ul>
+     */
+    @Test
+    public void test_getAssetPermissions_hostAsAdmin_success() throws Exception {
+        final HttpServletRequest request = getHttpRequest(adminUser.getEmailAddress(), "admin");
+
+        final ResponseEntityPaginatedDataView responseView = resource.getAssetPermissions(
+                request, response, testHost.getIdentifier(), 1, 40);
+
+        assertNotNull("Response should not be null", responseView);
+        final Object entity = responseView.getEntity();
+        assertNotNull("Entity should not be null", entity);
+
+        // The entity is an AssetPermissionsView
+        assertTrue("Entity should be AssetPermissionsView",
+                entity instanceof AssetPermissionsView);
+
+        final AssetPermissionsView view = (AssetPermissionsView) entity;
+        assertEquals("assetId should match", testHost.getIdentifier(), view.assetId());
+        assertEquals("assetType should be HOST", PermissionAPI.Scope.HOST, view.assetType());
+        assertNotNull("inheritanceMode should be present", view.inheritanceMode());
+        assertTrue("host should be parentPermissionable", view.isParentPermissionable());
+        assertNotNull("permissions list should be present", view.permissions());
+    }
+
+    /**
+     * <ul>
+     *     <li><b>Method to test:</b> {@link PermissionResource#getAssetPermissions}</li>
+     *     <li><b>Given Scenario:</b> Admin user requests permissions for a folder.</li>
+     *     <li><b>Expected Result:</b> Returns asset metadata with FOLDER type and permissions.</li>
+     * </ul>
+     */
+    @Test
+    public void test_getAssetPermissions_folderAsAdmin_success() throws Exception {
+        final Folder testFolder = new FolderDataGen().site(testHost).nextPersisted();
+        final HttpServletRequest request = getHttpRequest(adminUser.getEmailAddress(), "admin");
+
+        final ResponseEntityPaginatedDataView responseView = resource.getAssetPermissions(
+                request, response, testFolder.getInode(), 1, 40);
+
+        assertNotNull("Response should not be null", responseView);
+        final AssetPermissionsView view = (AssetPermissionsView) responseView.getEntity();
+        assertEquals("assetType should be FOLDER", PermissionAPI.Scope.FOLDER, view.assetType());
+        assertTrue("folder should be parentPermissionable", view.isParentPermissionable());
+    }
+
+    /**
+     * <ul>
+     *     <li><b>Method to test:</b> {@link PermissionResource#getAssetPermissions}</li>
+     *     <li><b>Given Scenario:</b> Asset ID does not exist in the system.</li>
+     *     <li><b>Expected Result:</b> NotFoundInDbException is thrown.</li>
+     * </ul>
+     */
+    @Test(expected = NotFoundInDbException.class)
+    public void test_getAssetPermissions_assetNotFound_throws404() throws Exception {
+        final HttpServletRequest request = getHttpRequest(adminUser.getEmailAddress(), "admin");
+
+        resource.getAssetPermissions(request, response, "non-existent-asset-id-99999", 1, 40);
+    }
+
+    /**
+     * <ul>
+     *     <li><b>Method to test:</b> {@link PermissionResource#getAssetPermissions}</li>
+     *     <li><b>Given Scenario:</b> Non-admin user without READ permission on the asset.</li>
+     *     <li><b>Expected Result:</b> DotSecurityException is thrown.</li>
+     * </ul>
+     */
+    @Test(expected = DotSecurityException.class)
+    public void test_getAssetPermissions_noReadPermission_throws403() throws Exception {
+        // Create a host with no permissions for limited user
+        final Host restrictedHost = new SiteDataGen().nextPersisted();
+
+        final String knownPassword = "testPassword202";
+        final User noPermUser = new UserDataGen()
+                .password(knownPassword)
+                .roles(TestUserUtils.getBackendRole())
+                .nextPersisted();
+
+        final HttpServletRequest request = getHttpRequest(noPermUser.getEmailAddress(), knownPassword);
+
+        resource.getAssetPermissions(request, response, restrictedHost.getIdentifier(), 1, 40);
+    }
+
+    /**
+     * <ul>
+     *     <li><b>Method to test:</b> {@link PermissionResource#getAssetPermissions}</li>
+     *     <li><b>Given Scenario:</b> Admin requests asset permissions with pagination page=1, per_page=2.</li>
+     *     <li><b>Expected Result:</b> Response respects pagination and returns limited results.</li>
+     * </ul>
+     */
+    @Test
+    public void test_getAssetPermissions_pagination_success() throws Exception {
+        final HttpServletRequest request = getHttpRequest(adminUser.getEmailAddress(), "admin");
+
+        // Use updateTestHost which has permissions set up for multiple roles
+        final ResponseEntityPaginatedDataView responseView = resource.getAssetPermissions(
+                request, response, updateTestHost.getIdentifier(), 1, 2);
+
+        assertNotNull("Response should not be null", responseView);
+        final AssetPermissionsView view = (AssetPermissionsView) responseView.getEntity();
+        assertNotNull("permissions should be present", view.permissions());
+        assertTrue("permissions page should respect per_page limit",
+                view.permissions().size() <= 2);
+    }
+
+    // ==================== Update Role Permissions Tests ====================
+
+    /**
+     * <ul>
+     *     <li><b>Method to test:</b> {@link PermissionResource#updateRolePermissions}</li>
+     *     <li><b>Given Scenario:</b> Admin user updates INDIVIDUAL permissions for a role on a host.</li>
+     *     <li><b>Expected Result:</b> Permissions are saved successfully with the specified levels.</li>
+     * </ul>
+     */
+    @Test
+    public void test_updateRolePermissions_basicIndividual_success() throws Exception {
+        final Role roleToUpdate = new RoleDataGen().nextPersisted();
+        final Host roleTestHost = new SiteDataGen().nextPersisted();
+        final HttpServletRequest request = getHttpRequest(adminUser.getEmailAddress(), "admin");
+
+        final Map<String, List<String>> permissions = new HashMap<>();
+        permissions.put("INDIVIDUAL", Arrays.asList("READ", "WRITE"));
+
+        final UpdateRolePermissionsForm form = new UpdateRolePermissionsForm(permissions);
+
+        final ResponseEntityUpdateRolePermissionsView responseView = resource.updateRolePermissions(
+                request, response, roleToUpdate.getId(), roleTestHost.getIdentifier(), false, form);
+
+        assertNotNull("Response should not be null", responseView);
+        final UpdateRolePermissionsView entity = responseView.getEntity();
+        assertNotNull("Entity should not be null", entity);
+        assertEquals("roleId should match", roleToUpdate.getId(), entity.roleId());
+        assertEquals("roleName should match", roleToUpdate.getName(), entity.roleName());
+        assertNotNull("asset should be present", entity.asset());
+    }
+
+    /**
+     * <ul>
+     *     <li><b>Method to test:</b> {@link PermissionResource#updateRolePermissions}</li>
+     *     <li><b>Given Scenario:</b> Admin user updates permissions with multiple scopes
+     *     (INDIVIDUAL + FOLDER + CONTENT) for a role on a folder.</li>
+     *     <li><b>Expected Result:</b> Permissions saved with all scopes.</li>
+     * </ul>
+     */
+    @Test
+    public void test_updateRolePermissions_multipleScopes_success() throws Exception {
+        final Role roleToUpdate = new RoleDataGen().nextPersisted();
+        final Folder roleTestFolder = new FolderDataGen().site(testHost).nextPersisted();
+        final HttpServletRequest request = getHttpRequest(adminUser.getEmailAddress(), "admin");
+
+        final Map<String, List<String>> permissions = new HashMap<>();
+        permissions.put("INDIVIDUAL", Arrays.asList("READ", "WRITE", "PUBLISH"));
+        permissions.put("FOLDER", Arrays.asList("READ", "CAN_ADD_CHILDREN"));
+        permissions.put("CONTENT", Arrays.asList("READ", "WRITE", "PUBLISH"));
+
+        final UpdateRolePermissionsForm form = new UpdateRolePermissionsForm(permissions);
+
+        final ResponseEntityUpdateRolePermissionsView responseView = resource.updateRolePermissions(
+                request, response, roleToUpdate.getId(), roleTestFolder.getInode(), false, form);
+
+        assertNotNull("Response should not be null", responseView);
+        final UpdateRolePermissionsView entity = responseView.getEntity();
+        assertNotNull("Entity should not be null", entity);
+        assertNotNull("asset should be present", entity.asset());
+    }
+
+    /**
+     * <ul>
+     *     <li><b>Method to test:</b> {@link PermissionResource#updateRolePermissions}</li>
+     *     <li><b>Given Scenario:</b> Non-admin user attempts to update role permissions.</li>
+     *     <li><b>Expected Result:</b> DotSecurityException is thrown.</li>
+     * </ul>
+     */
+    @Test(expected = DotSecurityException.class)
+    public void test_updateRolePermissions_nonAdmin_forbidden() throws Exception {
+        final Role roleToUpdate = new RoleDataGen().nextPersisted();
+
+        final String knownPassword = "testPassword303";
+        final User nonAdminUser = new UserDataGen()
+                .password(knownPassword)
+                .roles(TestUserUtils.getBackendRole())
+                .nextPersisted();
+
+        final Map<String, List<String>> permissions = new HashMap<>();
+        permissions.put("INDIVIDUAL", Arrays.asList("READ"));
+
+        final UpdateRolePermissionsForm form = new UpdateRolePermissionsForm(permissions);
+
+        resource.updateRolePermissions(
+                getHttpRequest(nonAdminUser.getEmailAddress(), knownPassword),
+                response, roleToUpdate.getId(), testHost.getIdentifier(), false, form);
+    }
+
+    /**
+     * <ul>
+     *     <li><b>Method to test:</b> {@link PermissionResource#updateRolePermissions}</li>
+     *     <li><b>Given Scenario:</b> Invalid scope name in the form.</li>
+     *     <li><b>Expected Result:</b> BadRequestException is thrown.</li>
+     * </ul>
+     */
+    @Test(expected = BadRequestException.class)
+    public void test_updateRolePermissions_invalidScope_badRequest() throws Exception {
+        final Role roleToUpdate = new RoleDataGen().nextPersisted();
+        final HttpServletRequest request = getHttpRequest(adminUser.getEmailAddress(), "admin");
+
+        final Map<String, List<String>> permissions = new HashMap<>();
+        permissions.put("INVALID_SCOPE", Arrays.asList("READ"));
+
+        final UpdateRolePermissionsForm form = new UpdateRolePermissionsForm(permissions);
+
+        resource.updateRolePermissions(
+                request, response, roleToUpdate.getId(), testHost.getIdentifier(), false, form);
+    }
+
+    /**
+     * <ul>
+     *     <li><b>Method to test:</b> {@link PermissionResource#updateRolePermissions}</li>
+     *     <li><b>Given Scenario:</b> Empty role ID provided.</li>
+     *     <li><b>Expected Result:</b> BadRequestException is thrown.</li>
+     * </ul>
+     */
+    @Test(expected = BadRequestException.class)
+    public void test_updateRolePermissions_emptyRoleId_badRequest() throws Exception {
+        final HttpServletRequest request = getHttpRequest(adminUser.getEmailAddress(), "admin");
+
+        final Map<String, List<String>> permissions = new HashMap<>();
+        permissions.put("INDIVIDUAL", Arrays.asList("READ"));
+
+        final UpdateRolePermissionsForm form = new UpdateRolePermissionsForm(permissions);
+
+        resource.updateRolePermissions(
+                request, response, "", testHost.getIdentifier(), false, form);
+    }
+
+    // ==================== Break Permission Inheritance Tests ====================
+
+    /**
+     * <ul>
+     *     <li><b>Method to test:</b> {@link PermissionResource#permissionIndividually}</li>
+     *     <li><b>Given Scenario:</b> Admin user breaks inheritance on a folder that currently inherits.</li>
+     *     <li><b>Expected Result:</b> Success response, and the folder now has individual permissions.</li>
+     * </ul>
+     */
+    @Test
+    public void test_permissionIndividually_folder_success() throws Exception {
+        // Create a fresh folder under testHost (should inherit by default)
+        final Folder freshFolder = new FolderDataGen()
+                .site(testHost)
+                .title("inherit-break-test")
+                .nextPersisted();
+
+        // Ensure it's inheriting first
+        APILocator.getPermissionAPI().resetPermissionsUnder(testHost);
+
+        final HttpServletRequest request = getHttpRequest(adminUser.getEmailAddress(), "admin");
+
+        final ResponseEntityStringView responseView = resource.permissionIndividually(
+                request, response, freshFolder.getInode());
+
+        assertNotNull("Response should not be null", responseView);
+        assertEquals("Success message should be returned",
+                "Permission inheritance broken successfully", responseView.getEntity());
+
+        // Verify the folder now has individual permissions
+        final boolean isInheriting = APILocator.getPermissionAPI().isInheritingPermissions(freshFolder);
+        assertFalse("Folder should no longer inherit permissions", isInheriting);
+    }
+
+    /**
+     * <ul>
+     *     <li><b>Method to test:</b> {@link PermissionResource#permissionIndividually}</li>
+     *     <li><b>Given Scenario:</b> Asset ID does not exist.</li>
+     *     <li><b>Expected Result:</b> NotFoundInDbException is thrown.</li>
+     * </ul>
+     */
+    @Test(expected = NotFoundInDbException.class)
+    public void test_permissionIndividually_assetNotFound_throws404() throws Exception {
+        final HttpServletRequest request = getHttpRequest(adminUser.getEmailAddress(), "admin");
+
+        resource.permissionIndividually(request, response, "non-existent-asset-id-88888");
+    }
+
+    /**
+     * <ul>
+     *     <li><b>Method to test:</b> {@link PermissionResource#permissionIndividually}</li>
+     *     <li><b>Given Scenario:</b> User without EDIT_PERMISSIONS on the asset.</li>
+     *     <li><b>Expected Result:</b> DotSecurityException is thrown.</li>
+     * </ul>
+     */
+    @Test(expected = DotSecurityException.class)
+    public void test_permissionIndividually_noEditPermission_throws403() throws Exception {
+        final Host restrictedHost = new SiteDataGen().nextPersisted();
+        final Folder restrictedFolder = new FolderDataGen()
+                .site(restrictedHost)
+                .nextPersisted();
+
+        final String knownPassword = "testPassword404";
+        final User noPermUser = new UserDataGen()
+                .password(knownPassword)
+                .roles(TestUserUtils.getBackendRole())
+                .nextPersisted();
+
+        // Give READ only (no EDIT_PERMISSIONS)
+        final Role userRole = APILocator.getRoleAPI().getUserRole(noPermUser);
+        final Permission readOnlyPerm = new Permission(
+                restrictedFolder.getPermissionId(),
+                userRole.getId(),
+                PermissionAPI.PERMISSION_READ,
+                true
+        );
+        APILocator.getPermissionAPI().save(readOnlyPerm, restrictedFolder, adminUser, false);
+
+        resource.permissionIndividually(
+                getHttpRequest(noPermUser.getEmailAddress(), knownPassword),
+                response, restrictedFolder.getInode());
+    }
+
+    /**
+     * <ul>
+     *     <li><b>Method to test:</b> {@link PermissionResource#permissionIndividually}</li>
+     *     <li><b>Given Scenario:</b> Empty asset ID provided.</li>
+     *     <li><b>Expected Result:</b> BadRequestException is thrown.</li>
+     * </ul>
+     */
+    @Test(expected = BadRequestException.class)
+    public void test_permissionIndividually_emptyAssetId_throws400() throws Exception {
+        final HttpServletRequest request = getHttpRequest(adminUser.getEmailAddress(), "admin");
+
+        resource.permissionIndividually(request, response, "");
+    }
+
+    // ==================== Get Permissionable Object Tests ====================
+
+    /**
+     * <ul>
+     *     <li><b>Method to test:</b> {@link PermissionResource#getPermissionableObject}</li>
+     *     <li><b>Given Scenario:</b> Admin requests permissionable metadata for a host.</li>
+     *     <li><b>Expected Result:</b> Returns correct metadata with isHost=true.</li>
+     * </ul>
+     */
+    @Test
+    public void test_getPermissionableObject_host_success() throws Exception {
+        final HttpServletRequest request = getHttpRequest(adminUser.getEmailAddress(), "admin");
+
+        final ResponseEntityPermissionableObjectView responseView =
+                resource.getPermissionableObject(request, response, testHost.getIdentifier());
+
+        assertNotNull("Response should not be null", responseView);
+        final PermissionableObjectView view = responseView.getEntity();
+        assertNotNull("Entity should not be null", view);
+        assertEquals("id should match", testHost.getIdentifier(), view.getId());
+        assertTrue("isHost should be true", view.isHost());
+        assertFalse("isFolder should be false", view.isFolder());
+        assertTrue("admin should have permissions to edit", view.isDoesUserHavePermissionsToEdit());
+    }
+
+    /**
+     * <ul>
+     *     <li><b>Method to test:</b> {@link PermissionResource#getPermissionableObject}</li>
+     *     <li><b>Given Scenario:</b> Admin requests permissionable metadata for a folder.</li>
+     *     <li><b>Expected Result:</b> Returns correct metadata with isFolder=true.</li>
+     * </ul>
+     */
+    @Test
+    public void test_getPermissionableObject_folder_success() throws Exception {
+        final Folder testFolder = new FolderDataGen().site(testHost).nextPersisted();
+        final HttpServletRequest request = getHttpRequest(adminUser.getEmailAddress(), "admin");
+
+        final ResponseEntityPermissionableObjectView responseView =
+                resource.getPermissionableObject(request, response, testFolder.getInode());
+
+        assertNotNull("Response should not be null", responseView);
+        final PermissionableObjectView view = responseView.getEntity();
+        assertNotNull("Entity should not be null", view);
+        assertTrue("isFolder should be true", view.isFolder());
+        assertFalse("isHost should be false", view.isHost());
+        assertTrue("isParentPermissionable should be true", view.isParentPermissionable());
+    }
+
+    /**
+     * <ul>
+     *     <li><b>Method to test:</b> {@link PermissionResource#getPermissionableObject}</li>
+     *     <li><b>Given Scenario:</b> Empty asset ID provided.</li>
+     *     <li><b>Expected Result:</b> BadRequestException is thrown.</li>
+     * </ul>
+     */
+    @Test(expected = BadRequestException.class)
+    public void test_getPermissionableObject_emptyAssetId_throws400() throws Exception {
+        final HttpServletRequest request = getHttpRequest(adminUser.getEmailAddress(), "admin");
+
+        resource.getPermissionableObject(request, response, "");
+    }
+
+    // ==================== Get Permissions By Permission Type Tests ====================
+
+    /**
+     * <ul>
+     *     <li><b>Method to test:</b> {@link PermissionResource#getPermissionsByPermissionType}</li>
+     *     <li><b>Given Scenario:</b> Admin user requests permissions by type for another user.</li>
+     *     <li><b>Expected Result:</b> Returns map of permission types indexed by permissionable types.</li>
+     * </ul>
+     */
+    @Test
+    public void test_getPermissionsByPermissionType_adminForUser_success() throws Exception {
+        final HttpServletRequest request = getHttpRequest(adminUser.getEmailAddress(), "admin");
+
+        final Response result = resource.getPermissionsByPermissionType(
+                request, response, adminUser.getUserId(), "READ", null);
+
+        assertNotNull("Response should not be null", result);
+        assertEquals("Status should be 200", 200, result.getStatus());
+    }
+
+    /**
+     * <ul>
+     *     <li><b>Method to test:</b> {@link PermissionResource#getPermissionsByPermissionType}</li>
+     *     <li><b>Given Scenario:</b> Non-admin user requests their own permissions.</li>
+     *     <li><b>Expected Result:</b> Success - user can view own permissions.</li>
+     * </ul>
+     */
+    @Test
+    public void test_getPermissionsByPermissionType_selfAccess_success() throws Exception {
+        final String knownPassword = "testPassword505";
+        final User testUser = new UserDataGen()
+                .password(knownPassword)
+                .roles(TestUserUtils.getBackendRole())
+                .nextPersisted();
+
+        final HttpServletRequest request = getHttpRequest(testUser.getEmailAddress(), knownPassword);
+
+        final Response result = resource.getPermissionsByPermissionType(
+                request, response, testUser.getUserId(), "READ", null);
+
+        assertNotNull("Response should not be null", result);
+        assertEquals("Status should be 200", 200, result.getStatus());
+    }
+
+    /**
+     * <ul>
+     *     <li><b>Method to test:</b> {@link PermissionResource#getPermissionsByPermissionType}</li>
+     *     <li><b>Given Scenario:</b> Non-admin user tries to access another user's permissions.</li>
+     *     <li><b>Expected Result:</b> DotSecurityException is thrown.</li>
+     * </ul>
+     */
+    @Test(expected = DotSecurityException.class)
+    public void test_getPermissionsByPermissionType_nonAdminAccessOther_forbidden() throws Exception {
+        final String knownPassword = "testPassword606";
+        final User testUser = new UserDataGen()
+                .password(knownPassword)
+                .roles(TestUserUtils.getBackendRole())
+                .nextPersisted();
+
+        final HttpServletRequest request = getHttpRequest(testUser.getEmailAddress(), knownPassword);
+
+        // Try to access admin's permissions
+        resource.getPermissionsByPermissionType(
+                request, response, adminUser.getUserId(), "READ", null);
+    }
+
+    // ==================== Get By Contentlet Tests ====================
+
+    /**
+     * <ul>
+     *     <li><b>Method to test:</b> {@link PermissionResource#getByContentlet}</li>
+     *     <li><b>Given Scenario:</b> Admin requests permissions for a contentlet.</li>
+     *     <li><b>Expected Result:</b> Returns permissions list for the contentlet.</li>
+     * </ul>
+     */
+    @Test
+    public void test_getByContentlet_adminAccess_success() throws Exception {
+        // Create a contentlet using the default content type
+        final Contentlet testContentlet = new ContentletDataGen(
+                APILocator.getContentTypeAPI(APILocator.systemUser())
+                        .find("webPageContent").id())
+                .host(testHost)
+                .setProperty("title", "Test Content for Permissions")
+                .setProperty("body", "Test body")
+                .languageId(1)
+                .nextPersisted();
+
+        final HttpServletRequest request = getHttpRequest(adminUser.getEmailAddress(), "admin");
+
+        final Response result = resource.getByContentlet(
+                request, response, testContentlet.getIdentifier(), "READ");
+
+        assertNotNull("Response should not be null", result);
+        assertEquals("Status should be 200", 200, result.getStatus());
+    }
+
+    /**
+     * <ul>
+     *     <li><b>Method to test:</b> {@link PermissionResource#getByContentlet}</li>
+     *     <li><b>Given Scenario:</b> Admin requests permissions with type ALL.</li>
+     *     <li><b>Expected Result:</b> Returns all permissions (unfiltered).</li>
+     * </ul>
+     */
+    @Test
+    public void test_getByContentlet_typeAll_success() throws Exception {
+        final Contentlet testContentlet = new ContentletDataGen(
+                APILocator.getContentTypeAPI(APILocator.systemUser())
+                        .find("webPageContent").id())
+                .host(testHost)
+                .setProperty("title", "Test Content ALL Permissions")
+                .setProperty("body", "Test body")
+                .languageId(1)
+                .nextPersisted();
+
+        final HttpServletRequest request = getHttpRequest(adminUser.getEmailAddress(), "admin");
+
+        final Response result = resource.getByContentlet(
+                request, response, testContentlet.getIdentifier(), "ALL");
+
+        assertNotNull("Response should not be null", result);
+        assertEquals("Status should be 200", 200, result.getStatus());
+    }
+
+    /**
+     * <ul>
+     *     <li><b>Method to test:</b> {@link PermissionResource#getByContentlet}</li>
+     *     <li><b>Given Scenario:</b> Contentlet ID does not exist.</li>
+     *     <li><b>Expected Result:</b> 404 Not Found response.</li>
+     * </ul>
+     */
+    @Test
+    public void test_getByContentlet_contentletNotFound_returns404() throws Exception {
+        final HttpServletRequest request = getHttpRequest(adminUser.getEmailAddress(), "admin");
+
+        final Response result = resource.getByContentlet(
+                request, response, "non-existent-contentlet-99999", "READ");
+
+        assertNotNull("Response should not be null", result);
+        assertEquals("Status should be 404", 404, result.getStatus());
+    }
+
+    /**
+     * <ul>
+     *     <li><b>Method to test:</b> {@link PermissionResource#getByContentlet}</li>
+     *     <li><b>Given Scenario:</b> Non-admin user tries to access contentlet permissions.</li>
+     *     <li><b>Expected Result:</b> DotSecurityException is thrown.</li>
+     * </ul>
+     */
+    @Test(expected = DotSecurityException.class)
+    public void test_getByContentlet_nonAdmin_forbidden() throws Exception {
+        final String knownPassword = "testPassword707";
+        final User nonAdmin = new UserDataGen()
+                .password(knownPassword)
+                .roles(TestUserUtils.getBackendRole())
+                .nextPersisted();
+
+        resource.getByContentlet(
+                getHttpRequest(nonAdmin.getEmailAddress(), knownPassword),
+                response, "any-contentlet-id", "READ");
+    }
+
+    // ==================== Reset + Re-get roundtrip Tests ====================
+
+    /**
+     * <ul>
+     *     <li><b>Method to test:</b> Multiple endpoints in sequence</li>
+     *     <li><b>Given Scenario:</b> Admin sets individual permissions on a folder, reads them,
+     *     resets to inherited, and reads again.</li>
+     *     <li><b>Expected Result:</b> After reset, the folder returns to inherited mode.</li>
+     * </ul>
+     */
+    @Test
+    public void test_roundtrip_setPermissions_thenReset_success() throws Exception {
+        // Create a fresh folder
+        final Folder roundtripFolder = new FolderDataGen()
+                .site(testHost)
+                .title("roundtrip-test")
+                .nextPersisted();
+
+        final HttpServletRequest adminRequest = getHttpRequest(adminUser.getEmailAddress(), "admin");
+
+        // Step 1: Set individual permissions via updateAssetPermissions
+        final Role roundtripRole = new RoleDataGen().nextPersisted();
+        final RolePermissionForm roleForm = new RolePermissionForm(
+                roundtripRole.getId(),
+                EnumSet.of(PermissionAPI.Type.READ, PermissionAPI.Type.WRITE),
+                null
+        );
+        final UpdateAssetPermissionsForm updateForm = new UpdateAssetPermissionsForm(
+                Arrays.asList(roleForm)
+        );
+
+        resource.updateAssetPermissions(
+                adminRequest, response, roundtripFolder.getInode(), false, updateForm);
+
+        // Step 2: Verify asset has individual permissions
+        final ResponseEntityPaginatedDataView getResponse = resource.getAssetPermissions(
+                getHttpRequest(adminUser.getEmailAddress(), "admin"),
+                response, roundtripFolder.getInode(), 1, 40);
+
+        final AssetPermissionsView viewAfterUpdate = (AssetPermissionsView) getResponse.getEntity();
+        assertEquals("Should be INDIVIDUAL after update",
+                InheritanceMode.INDIVIDUAL, viewAfterUpdate.inheritanceMode());
+
+        // Step 3: Reset permissions to inherited
+        resource.resetAssetPermissions(
+                getHttpRequest(adminUser.getEmailAddress(), "admin"),
+                response, roundtripFolder.getInode());
+
+        // Step 4: Verify it's now inherited
+        final ResponseEntityPaginatedDataView getResponseAfterReset = resource.getAssetPermissions(
+                getHttpRequest(adminUser.getEmailAddress(), "admin"),
+                response, roundtripFolder.getInode(), 1, 40);
+
+        final AssetPermissionsView viewAfterReset = (AssetPermissionsView) getResponseAfterReset.getEntity();
+        assertEquals("Should be INHERITED after reset",
+                InheritanceMode.INHERITED, viewAfterReset.inheritanceMode());
+    }
+
+    // ==================== Non-admin Security Boundary Tests ====================
+
+    /**
+     * <ul>
+     *     <li><b>Method to test:</b> {@link PermissionResource#resetAssetPermissions}</li>
+     *     <li><b>Given Scenario:</b> Non-admin user attempts to reset asset permissions.</li>
+     *     <li><b>Expected Result:</b> DotSecurityException is thrown.</li>
+     * </ul>
+     */
+    @Test(expected = DotSecurityException.class)
+    public void test_resetAssetPermissions_nonAdmin_forbidden() throws Exception {
+        final String knownPassword = "testPassword808";
+        final User nonAdmin = new UserDataGen()
+                .password(knownPassword)
+                .roles(TestUserUtils.getBackendRole())
+                .nextPersisted();
+
+        resource.resetAssetPermissions(
+                getHttpRequest(nonAdmin.getEmailAddress(), knownPassword),
+                response, testHost.getIdentifier());
+    }
+
+    /**
+     * <ul>
+     *     <li><b>Method to test:</b> {@link PermissionResource#updateAssetPermissions}</li>
+     *     <li><b>Given Scenario:</b> Admin sets permissions for a template asset.</li>
+     *     <li><b>Expected Result:</b> Permissions updated successfully for non-folder/host asset.</li>
+     * </ul>
+     */
+    @Test
+    public void test_updateAssetPermissions_templateAsset_success() throws Exception {
+        final Template testTemplate = new TemplateDataGen().nextPersisted();
+        final HttpServletRequest request = getHttpRequest(adminUser.getEmailAddress(), "admin");
+
+        final Role templateRole = new RoleDataGen().nextPersisted();
+        final RolePermissionForm roleForm = new RolePermissionForm(
+                templateRole.getId(),
+                EnumSet.of(PermissionAPI.Type.READ),
+                null
+        );
+        final UpdateAssetPermissionsForm form = new UpdateAssetPermissionsForm(
+                Arrays.asList(roleForm)
+        );
+
+        // Use identifier (not inode) because AssetPermissionHelper.resolveAsset
+        // uses findWorkingTemplate which expects the identifier
+        final ResponseEntityUpdatePermissionsView responseView = resource.updateAssetPermissions(
+                request, response, testTemplate.getIdentifier(), false, form);
+
+        assertNotNull("Response should not be null", responseView);
+        final UpdateAssetPermissionsView entity = responseView.getEntity();
+        assertNotNull("Entity should not be null", entity);
+    }
 }

From a782e1d7e477c846beb378a81efb251b6fa86fa6 Mon Sep 17 00:00:00 2001
From: Will Ezell <will@dotcms.com>
Date: Fri, 27 Feb 2026 11:00:54 -0500
Subject: [PATCH 3/4] fix(dwr) #34797: resolve category permissions and
 inherited-from display

- Add Category to AssetPermissionHelper.resolveAsset() chain so category
  inodes are recognized as permissionable assets
- Add inheritedFromType/Path/Id fields to RolePermissionView so the
  "Getting permissions from parent:" label renders correctly
- Guard initPermission() in view_categories.jsp against undefined asset ID

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .../AbstractRolePermissionView.java           | 42 +++++++++
 .../permission/AssetPermissionHelper.java     | 87 +++++++++++++++++++
 .../ext/categories/view_categories.jsp        |  4 +
 3 files changed, 133 insertions(+)

diff --git a/dotCMS/src/main/java/com/dotcms/rest/api/v1/system/permission/AbstractRolePermissionView.java b/dotCMS/src/main/java/com/dotcms/rest/api/v1/system/permission/AbstractRolePermissionView.java
index 5437e0f6e52e..21c1f3b4bfd6 100644
--- a/dotCMS/src/main/java/com/dotcms/rest/api/v1/system/permission/AbstractRolePermissionView.java
+++ b/dotCMS/src/main/java/com/dotcms/rest/api/v1/system/permission/AbstractRolePermissionView.java
@@ -96,4 +96,46 @@ public interface AbstractRolePermissionView {
     )
     @Nullable
     Map<PermissionAPI.Scope, Set<PermissionAPI.Type>> inheritable();
+
+    /**
+     * Gets the type of the asset from which permissions are inherited.
+     * Only populated when {@link #inherited()} is true.
+     *
+     * @return Inherited source type (host, folder, category, structure), or empty string if not inherited
+     */
+    @JsonProperty("inheritedFromType")
+    @Schema(
+        description = "Type of the parent asset from which permissions are inherited (host, folder, category, structure)",
+        example = "folder"
+    )
+    @Value.Default
+    default String inheritedFromType() { return ""; }
+
+    /**
+     * Gets the display path/name of the asset from which permissions are inherited.
+     * Only populated when {@link #inherited()} is true.
+     *
+     * @return Inherited source path or name, or empty string if not inherited
+     */
+    @JsonProperty("inheritedFromPath")
+    @Schema(
+        description = "Display path or name of the parent asset from which permissions are inherited",
+        example = "/about-us/"
+    )
+    @Value.Default
+    default String inheritedFromPath() { return ""; }
+
+    /**
+     * Gets the ID of the asset from which permissions are inherited.
+     * Only populated when {@link #inherited()} is true.
+     *
+     * @return Inherited source asset ID, or empty string if not inherited
+     */
+    @JsonProperty("inheritedFromId")
+    @Schema(
+        description = "Identifier of the parent asset from which permissions are inherited",
+        example = "abc-123-def-456"
+    )
+    @Value.Default
+    default String inheritedFromId() { return ""; }
 }
diff --git a/dotCMS/src/main/java/com/dotcms/rest/api/v1/system/permission/AssetPermissionHelper.java b/dotCMS/src/main/java/com/dotcms/rest/api/v1/system/permission/AssetPermissionHelper.java
index 498ccafbc796..8048783fb55e 100644
--- a/dotCMS/src/main/java/com/dotcms/rest/api/v1/system/permission/AssetPermissionHelper.java
+++ b/dotCMS/src/main/java/com/dotcms/rest/api/v1/system/permission/AssetPermissionHelper.java
@@ -12,6 +12,7 @@
 import com.dotmarketing.business.RoleAPI;
 import com.dotmarketing.exception.DotDataException;
 import com.dotmarketing.exception.DotSecurityException;
+import com.dotmarketing.portlets.categories.model.Category;
 import com.dotmarketing.portlets.containers.model.Container;
 import com.dotmarketing.portlets.contentlet.business.HostAPI;
 import com.dotmarketing.portlets.contentlet.model.Contentlet;
@@ -159,6 +160,18 @@ public Permissionable resolveAsset(final String assetId)
             Logger.debug(this, () -> String.format("Not a container: %s", assetId));
         }
 
+        // Try Category
+        try {
+            final Category category = APILocator.getCategoryAPI()
+                .find(assetId, systemUser, respectFrontendRoles);
+            if (category != null && UtilMethods.isSet(category.getInode())) {
+                Logger.debug(this, () -> String.format("Resolved as Category: %s", assetId));
+                return category;
+            }
+        } catch (Exception e) {
+            Logger.debug(this, () -> String.format("Not a category: %s", assetId));
+        }
+
         Logger.warn(this, String.format("Unable to resolve asset: %s", assetId));
         return null;
     }
@@ -227,6 +240,26 @@ public List<RolePermissionView> buildRolePermissions(final Permissionable asset,
         final boolean isInheriting = permissionAPI.isInheritingPermissions(asset);
         final boolean isParentPermissionable = asset.isParentPermissionable();
 
+        // Resolve the parent permissionable for inherited-from info
+        String inheritedFromType = "";
+        String inheritedFromPath = "";
+        String inheritedFromId = "";
+        if (isInheriting) {
+            try {
+                final Permissionable parentPerm = permissionAPI.findParentPermissionable(asset);
+                if (parentPerm != null) {
+                    final String[] inheritInfo = resolveInheritedFromInfo(parentPerm);
+                    inheritedFromType = inheritInfo[0];
+                    inheritedFromPath = inheritInfo[1];
+                    inheritedFromId = inheritInfo[2];
+                }
+            } catch (Exception e) {
+                Logger.debug(this, () -> String.format(
+                    "Could not resolve parent permissionable for asset: %s - %s",
+                    asset.getPermissionId(), e.getMessage()));
+            }
+        }
+
         // Group permissions by role ID
         final Map<String, List<Permission>> permissionsByRole = permissions.stream()
             .collect(Collectors.groupingBy(Permission::getRoleId, LinkedHashMap::new, Collectors.toList()));
@@ -272,6 +305,9 @@ public List<RolePermissionView> buildRolePermissions(final Permissionable asset,
                     .roleId(roleId)
                     .roleName(role.getName())
                     .inherited(isInheriting)
+                    .inheritedFromType(inheritedFromType)
+                    .inheritedFromPath(inheritedFromPath)
+                    .inheritedFromId(inheritedFromId)
                     .individual(individual)
                     .inheritable(inheritable)
                     .build();
@@ -287,6 +323,57 @@ public List<RolePermissionView> buildRolePermissions(final Permissionable asset,
         return rolePermissions;
     }
 
+    /**
+     * Resolves the inherited-from metadata (type, path, id) for a parent permissionable.
+     * Matches the legacy DWR PermissionAjax behavior for the "Getting permissions from parent:" display.
+     *
+     * @param parentPerm The parent permissionable
+     * @return String array [type, path, id]
+     */
+    private String[] resolveInheritedFromInfo(final Permissionable parentPerm) {
+        try {
+            if (parentPerm instanceof Folder) {
+                final Folder folder = (Folder) parentPerm;
+                final String path = APILocator.getIdentifierAPI().find(folder.getIdentifier()).getPath();
+                return new String[]{"folder", path, folder.getInode()};
+            } else if (parentPerm instanceof Host) {
+                final Host host = (Host) parentPerm;
+                return new String[]{"host", host.getHostname(), host.getIdentifier()};
+            } else if (parentPerm instanceof Contentlet && ((Contentlet) parentPerm).isHost()) {
+                final Host host = new Host((Contentlet) parentPerm);
+                return new String[]{"host", host.getHostname(), host.getIdentifier()};
+            } else if (parentPerm instanceof Category) {
+                final Category category = (Category) parentPerm;
+                return new String[]{"category", category.getCategoryName(), category.getInode()};
+            } else if (parentPerm instanceof com.dotcms.contenttype.model.type.ContentType) {
+                final com.dotcms.contenttype.model.type.ContentType ct =
+                    (com.dotcms.contenttype.model.type.ContentType) parentPerm;
+                return new String[]{"structure", ct.name(), ct.inode()};
+            } else if (parentPerm instanceof com.dotmarketing.portlets.structure.model.Structure) {
+                final com.dotmarketing.portlets.structure.model.Structure structure =
+                    (com.dotmarketing.portlets.structure.model.Structure) parentPerm;
+                return new String[]{"structure", structure.getName(), structure.getInode()};
+            }
+        } catch (Exception e) {
+            Logger.debug(this, () -> String.format(
+                "Error resolving inherited-from info for permissionable: %s - %s",
+                parentPerm.getPermissionId(), e.getMessage()));
+        }
+
+        // Fallback: try to resolve as host by permission ID
+        try {
+            final Host host = hostAPI.find(parentPerm.getPermissionId(),
+                APILocator.getUserAPI().getSystemUser(), false);
+            if (host != null && UtilMethods.isSet(host.getIdentifier())) {
+                return new String[]{"host", host.getHostname(), host.getIdentifier()};
+            }
+        } catch (Exception e) {
+            Logger.debug(this, () -> "Fallback host lookup failed");
+        }
+
+        return new String[]{"", "", ""};
+    }
+
     /**
      * Converts a list of permissions to a set of permission types.
      * Handles bit-packed permissions correctly using EnumSet for efficiency.
diff --git a/dotCMS/src/main/webapp/html/portlet/ext/categories/view_categories.jsp b/dotCMS/src/main/webapp/html/portlet/ext/categories/view_categories.jsp
index bf2daa8a494d..3da02a382f83 100644
--- a/dotCMS/src/main/webapp/html/portlet/ext/categories/view_categories.jsp
+++ b/dotCMS/src/main/webapp/html/portlet/ext/categories/view_categories.jsp
@@ -858,6 +858,10 @@
 
 
     function initPermission() {
+        if (!currentInodeOrIdentifier) {
+            return;
+        }
+
         var nameField = dojo.byId("permCatName");
         nameField.innerHTML = currentCatName;
 

From 297c21a50d0c29b3ff0ad792ece4b2e195904c54 Mon Sep 17 00:00:00 2001
From: Will Ezell <will@dotcms.com>
Date: Fri, 27 Feb 2026 13:30:53 -0500
Subject: [PATCH 4/4] debt(dwr): replacing PermissionAjax with rest endpoint

ref: #34797
---
 .../src/main/webapp/WEB-INF/openapi/openapi.yaml   | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/dotCMS/src/main/webapp/WEB-INF/openapi/openapi.yaml b/dotCMS/src/main/webapp/WEB-INF/openapi/openapi.yaml
index daf3a0f5cb66..31f36e210d48 100644
--- a/dotCMS/src/main/webapp/WEB-INF/openapi/openapi.yaml
+++ b/dotCMS/src/main/webapp/WEB-INF/openapi/openapi.yaml
@@ -28057,6 +28057,20 @@ components:
           type: boolean
           description: Whether permissions are inherited from a parent asset
           example: false
+        inheritedFromId:
+          type: string
+          description: Identifier of the parent asset from which permissions are inherited
+          example: abc-123-def-456
+        inheritedFromPath:
+          type: string
+          description: Display path or name of the parent asset from which permissions
+            are inherited
+          example: /about-us/
+        inheritedFromType:
+          type: string
+          description: "Type of the parent asset from which permissions are inherited\
+            \ (host, folder, category, structure)"
+          example: folder
         roleId:
           type: string
           description: Role identifier