Skip to content

Commit c4ab94e

Browse files
skjnldsvskjnldsv
authored
Merge pull request #43874 from nextcloud/backport/43727/stable23
2 parents 941dee9 + db2085c commit c4ab94e

File tree

1 file changed

+29
-1
lines changed

1 file changed

+29
-1
lines changed

apps/files_versions/lib/Versions/LegacyVersionsBackend.php

Lines changed: 29 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,7 @@
2727
namespace OCA\Files_Versions\Versions;
2828

2929
use OC\Files\View;
30+
use OCA\DAV\Connector\Sabre\Exception\Forbidden;
3031
use OCA\Files_Sharing\SharedStorage;
3132
use OCA\Files_Versions\Storage;
3233
use OCP\Files\File;
@@ -37,16 +38,20 @@
3738
use OCP\Files\Storage\IStorage;
3839
use OCP\IUser;
3940
use OCP\IUserManager;
41+
use OCP\IUserSession;
4042

4143
class LegacyVersionsBackend implements IVersionBackend {
4244
/** @var IRootFolder */
4345
private $rootFolder;
4446
/** @var IUserManager */
4547
private $userManager;
48+
/** @var IUserSession */
49+
private $userSession;
4650

47-
public function __construct(IRootFolder $rootFolder, IUserManager $userManager) {
51+
public function __construct(IRootFolder $rootFolder, IUserManager $userManager, IUserSession $userSession) {
4852
$this->rootFolder = $rootFolder;
4953
$this->userManager = $userManager;
54+
$this->userSession = $userSession;
5055
}
5156

5257
public function useBackendForStorage(IStorage $storage): bool {
@@ -96,6 +101,10 @@ public function createVersion(IUser $user, FileInfo $file) {
96101
}
97102

98103
public function rollback(IVersion $version) {
104+
if (!$this->currentUserHasPermissions($version, \OCP\Constants::PERMISSION_UPDATE)) {
105+
throw new Forbidden('You cannot restore this version because you do not have update permissions on the source file.');
106+
}
107+
99108
return Storage::rollback($version->getVersionPath(), $version->getRevisionId(), $version->getUser());
100109
}
101110

@@ -125,4 +134,23 @@ public function getVersionFile(IUser $user, FileInfo $sourceFile, $revision): Fi
125134
$file = $versionFolder->get($userFolder->getRelativePath($sourceFile->getPath()) . '.v' . $revision);
126135
return $file;
127136
}
137+
138+
private function currentUserHasPermissions(IVersion $version, int $permissions): bool {
139+
$sourceFile = $version->getSourceFile();
140+
$currentUserId = $this->userSession->getUser()->getUID();
141+
142+
if ($currentUserId === null) {
143+
throw new NotFoundException("No user logged in");
144+
}
145+
146+
if ($sourceFile->getOwner()->getUID() !== $currentUserId) {
147+
$nodes = $this->rootFolder->getUserFolder($currentUserId)->getById($sourceFile->getId());
148+
$sourceFile = array_pop($nodes);
149+
if (!$sourceFile) {
150+
throw new NotFoundException("Version file not accessible by current user");
151+
}
152+
}
153+
154+
return ($sourceFile->getPermissions() & $permissions) === $permissions;
155+
}
128156
}

0 commit comments

Comments
 (0)