From 37df1b7012867e5a44d9bfbabb85d4dd861a6ca0 Mon Sep 17 00:00:00 2001
From: Louis Chemineau <louis@chmn.me>
Date: Wed, 21 Feb 2024 14:34:12 +0100
Subject: [PATCH] Check permissions when labeling a version

Signed-off-by: Louis Chemineau <louis@chmn.me>
---
 apps/files_versions/lib/Versions/LegacyVersionsBackend.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/apps/files_versions/lib/Versions/LegacyVersionsBackend.php b/apps/files_versions/lib/Versions/LegacyVersionsBackend.php
index 40b297493e6..8a806c87462 100644
--- a/apps/files_versions/lib/Versions/LegacyVersionsBackend.php
+++ b/apps/files_versions/lib/Versions/LegacyVersionsBackend.php
@@ -211,6 +211,10 @@ class LegacyVersionsBackend implements IVersionBackend, INameableVersionBackend,
 	}
 
 	public function setVersionLabel(IVersion $version, string $label): void {
+		if (!$this->currentUserHasPermissions($version, \OCP\Constants::PERMISSION_UPDATE)) {
+			throw new Forbidden('You cannot label this version because you do not have update permissions on the source file.');
+		}
+
 		$versionEntity = $this->versionsMapper->findVersionForFileId(
 			$version->getSourceFile()->getId(),
 			$version->getTimestamp(),