Check node permissions when restoring a version

Signed-off-by: Louis Chemineau <louis@chmn.me>
author: Louis Chemineau <louis@chmn.me> 2024-02-13 12:51:01 +0100
committer: Louis <louis@chmn.me> 2024-02-21 21:49:23 +0100
commit: 19fcee2ede3b03757d4388dcdb3a5c01b4998a22 (patch)
tree: 11a6f6606e588a016e2ab880d2fb40681e61cb9b /apps/files_versions
parent: fa1a08f5eea7d7daf8f5b0935945ec4932202df6 (diff)
download: nextcloud-server-19fcee2ede3b03757d4388dcdb3a5c01b4998a22.tar.gz
nextcloud-server-19fcee2ede3b03757d4388dcdb3a5c01b4998a22.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/apps/files_versions/lib/Versions/LegacyVersionsBackend.php b/apps/files_versions/lib/Versions/LegacyVersionsBackend.php
index fe7f41e8155..a591c2ae61f 100644
--- a/apps/files_versions/lib/Versions/LegacyVersionsBackend.php
+++ b/apps/files_versions/lib/Versions/LegacyVersionsBackend.php
@@ -178,6 +178,10 @@ class LegacyVersionsBackend implements IVersionBackend, INameableVersionBackend,
 	}
 
 	public function rollback(IVersion $version) {
+		if (!$this->currentUserHasPermissions($version, \OCP\Constants::PERMISSION_UPDATE)) {
+			throw new Forbidden('You cannot restore this version because you do not have update permissions on the source file.');
+		}
+
 		return Storage::rollback($version->getVersionPath(), $version->getRevisionId(), $version->getUser());
 	}
author	Louis Chemineau <louis@chmn.me>	2024-02-13 12:51:01 +0100
committer	Louis <louis@chmn.me>	2024-02-21 21:49:23 +0100
commit	19fcee2ede3b03757d4388dcdb3a5c01b4998a22 (patch)
tree	11a6f6606e588a016e2ab880d2fb40681e61cb9b /apps/files_versions
parent	fa1a08f5eea7d7daf8f5b0935945ec4932202df6 (diff)
download	nextcloud-server-19fcee2ede3b03757d4388dcdb3a5c01b4998a22.tar.gz nextcloud-server-19fcee2ede3b03757d4388dcdb3a5c01b4998a22.zip