Check node permissions when restoring a version

Signed-off-by: Louis Chemineau <louis@chmn.me>

diff --git a/apps/files_versions/lib/Versions/LegacyVersionsBackend.php b/apps/files_versions/lib/Versions/LegacyVersionsBackend.php
index fe7f41e81550f4a56bf3711ae4799b604025578a..a591c2ae61ffeff1ffc106ff61ef4abe1e7fd144 100644 (file)
--- a/apps/files_versions/lib/Versions/LegacyVersionsBackend.php
+++ b/apps/files_versions/lib/Versions/LegacyVersionsBackend.php
@@ -178,6 +178,10 @@ class LegacyVersionsBackend implements IVersionBackend, INameableVersionBackend,
        }
 
        public function rollback(IVersion $version) {
+               if (!$this->currentUserHasPermissions($version, \OCP\Constants::PERMISSION_UPDATE)) {
+                       throw new Forbidden('You cannot restore this version because you do not have update permissions on the source file.');
+               }
+
                return Storage::rollback($version->getVersionPath(), $version->getRevisionId(), $version->getUser());
        }