From: Louis Chemineau <louis@chmn.me>
Date: Tue, 13 Feb 2024 11:51:01 +0000 (+0100)
Subject: Check node permissions when restoring a version
X-Git-Tag: v29.0.0beta1~168^2~2
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=37d0fd109a921d760d621a4f0a11cf05c9c7211f;p=nextcloud-server.git

Check node permissions when restoring a version

Signed-off-by: Louis Chemineau <louis@chmn.me>
---

diff --git a/apps/files_versions/lib/Versions/LegacyVersionsBackend.php b/apps/files_versions/lib/Versions/LegacyVersionsBackend.php
index fe7f41e8155..a591c2ae61f 100644
--- a/apps/files_versions/lib/Versions/LegacyVersionsBackend.php
+++ b/apps/files_versions/lib/Versions/LegacyVersionsBackend.php
@@ -178,6 +178,10 @@ class LegacyVersionsBackend implements IVersionBackend, INameableVersionBackend,
 	}
 
 	public function rollback(IVersion $version) {
+		if (!$this->currentUserHasPermissions($version, \OCP\Constants::PERMISSION_UPDATE)) {
+			throw new Forbidden('You cannot restore this version because you do not have update permissions on the source file.');
+		}
+
 		return Storage::rollback($version->getVersionPath(), $version->getRevisionId(), $version->getUser());
 	}