From d8026de6b38aeacdc8a409339b7cc77f99835789 Mon Sep 17 00:00:00 2001
From: Louis Chemineau <louis@chmn.me>
Date: Tue, 13 Feb 2024 12:51:01 +0100
Subject: [PATCH] Check node permissions when restoring a version

Signed-off-by: Louis Chemineau <louis@chmn.me>
---
 apps/files_versions/lib/Versions/LegacyVersionsBackend.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/apps/files_versions/lib/Versions/LegacyVersionsBackend.php b/apps/files_versions/lib/Versions/LegacyVersionsBackend.php
index 3ae6d31a428..85ad0cd671d 100644
--- a/apps/files_versions/lib/Versions/LegacyVersionsBackend.php
+++ b/apps/files_versions/lib/Versions/LegacyVersionsBackend.php
@@ -179,6 +179,10 @@ class LegacyVersionsBackend implements IVersionBackend, INameableVersionBackend,
 	}
 
 	public function rollback(IVersion $version) {
+		if (!$this->currentUserHasPermissions($version, \OCP\Constants::PERMISSION_UPDATE)) {
+			throw new Forbidden('You cannot restore this version because you do not have update permissions on the source file.');
+		}
+
 		return Storage::rollback($version->getVersionPath(), $version->getRevisionId(), $version->getUser());
 	}