From a15c0d65150b89be497a1f75a40b872a11a30bfc Mon Sep 17 00:00:00 2001
From: Louis Chemineau <louis@chmn.me>
Date: Tue, 19 Mar 2024 17:39:12 +0100
Subject: [PATCH] Merge pull request #44297 from
 nextcloud/fix/forbid-tagging-readonly-files

Forbid tagging readonly files

Signed-off-by: Louis Chemineau <louis@chmn.me>
---
 .../lib/Versions/LegacyVersionsBackend.php    | 20 +++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/apps/files_versions/lib/Versions/LegacyVersionsBackend.php b/apps/files_versions/lib/Versions/LegacyVersionsBackend.php
index 0f752c2ea6848..dcc56225c7357 100644
--- a/apps/files_versions/lib/Versions/LegacyVersionsBackend.php
+++ b/apps/files_versions/lib/Versions/LegacyVersionsBackend.php
@@ -275,15 +275,23 @@ private function currentUserHasPermissions(FileInfo $sourceFile, int $permission
 			throw new NotFoundException("No user logged in");
 		}
 
-		if ($sourceFile->getOwner()?->getUID() !== $currentUserId) {
-			$nodes = $this->rootFolder->getUserFolder($currentUserId)->getById($sourceFile->getId());
-			$sourceFile = array_pop($nodes);
-			if (!$sourceFile) {
-				throw new NotFoundException("Version file not accessible by current user");
+		if ($sourceFile->getOwner()?->getUID() === $currentUserId) {
+			return ($sourceFile->getPermissions() & $permissions) === $permissions;
+		}
+
+		$nodes = $this->rootFolder->getUserFolder($currentUserId)->getById($sourceFile->getId());
+
+		if (count($nodes) === 0) {
+			throw new NotFoundException("Version file not accessible by current user");
+		}
+
+		foreach ($nodes as $node) {
+			if (($node->getPermissions() & $permissions) === $permissions) {
+				return true;
 			}
 		}
 
-		return ($sourceFile->getPermissions() & $permissions) === $permissions;
+		return false;
 	}
 
 	public function setMetadataValue(Node $node, int $revision, string $key, string $value): void {