Check node permissions when restoring a version

Signed-off-by: Louis Chemineau <louis@chmn.me>
author: Louis Chemineau <louis@chmn.me> 2024-02-13 12:51:01 +0100
committer: Louis Chemineau <louis@chmn.me> 2024-02-21 21:47:50 +0100
commit: d8026de6b38aeacdc8a409339b7cc77f99835789 (patch)
tree: 54d9e521170555bb191a72d24df29b329b27acf5 /apps/files_versions
parent: b48b153ac683789bdeecbb3ad66cef9cf37fef38 (diff)
download: nextcloud-server-d8026de6b38aeacdc8a409339b7cc77f99835789.tar.gz
nextcloud-server-d8026de6b38aeacdc8a409339b7cc77f99835789.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/apps/files_versions/lib/Versions/LegacyVersionsBackend.php b/apps/files_versions/lib/Versions/LegacyVersionsBackend.php
index 3ae6d31a428..85ad0cd671d 100644
--- a/apps/files_versions/lib/Versions/LegacyVersionsBackend.php
+++ b/apps/files_versions/lib/Versions/LegacyVersionsBackend.php
@@ -179,6 +179,10 @@ class LegacyVersionsBackend implements IVersionBackend, INameableVersionBackend,
 	}
 
 	public function rollback(IVersion $version) {
+		if (!$this->currentUserHasPermissions($version, \OCP\Constants::PERMISSION_UPDATE)) {
+			throw new Forbidden('You cannot restore this version because you do not have update permissions on the source file.');
+		}
+
 		return Storage::rollback($version->getVersionPath(), $version->getRevisionId(), $version->getUser());
 	}
author	Louis Chemineau <louis@chmn.me>	2024-02-13 12:51:01 +0100
committer	Louis Chemineau <louis@chmn.me>	2024-02-21 21:47:50 +0100
commit	d8026de6b38aeacdc8a409339b7cc77f99835789 (patch)
tree	54d9e521170555bb191a72d24df29b329b27acf5 /apps/files_versions
parent	b48b153ac683789bdeecbb3ad66cef9cf37fef38 (diff)
download	nextcloud-server-d8026de6b38aeacdc8a409339b7cc77f99835789.tar.gz nextcloud-server-d8026de6b38aeacdc8a409339b7cc77f99835789.zip