Read-only share recipient can restore old versions of file.
The restore capability of Nextcloud was not verifying whether an user has only read-only access to a share. Thus an user with read-only access was able to restore old versions.
- Nextcloud Server < 9.0.52
The permission check is now also performed on restore actions.
Steps To Repro:
1)Create A Document
2)Share It With Someone
3) Name The Owner As Owner And The Other User As X
4) Now From Owner Add A New Version Of The File.
5) From User X Restore The Previous Version And Intercept The Request.
6) Now Delete User X From Can-Edit Rank
7) Now From Owner Add New Version Again.
8) Now Repeat The Request That Was Intercepted By User X And You Will See That Document Got Restored.
POC : https://youtu.be/KpK89cD3Vk8
Thanks for reading !!!