From 59f9964e80c8233775f27be33a4c16a31bfe848a Mon Sep 17 00:00:00 2001
From: Ramires Viana <59319979+ramiresviana@users.noreply.github.com>
Date: Fri, 26 Mar 2021 13:30:14 +0000
Subject: [PATCH] fix: check modify permission on file overwrite

---
 http/resource.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/http/resource.go b/http/resource.go
index cd103778..c6902476 100644
--- a/http/resource.go
+++ b/http/resource.go
@@ -118,6 +118,11 @@ func resourcePostHandler(fileCache FileCache) handleFunc {
 				return http.StatusConflict, nil
 			}
 
+			// Permission for overwriting the file
+			if !d.user.Perm.Modify {
+				return http.StatusForbidden, nil
+			}
+
 			err = delThumbs(r.Context(), fileCache, file)
 			if err != nil {
 				return errToStatus(err), err
@@ -204,6 +209,11 @@ var resourcePatchHandler = withUser(func(w http.ResponseWriter, r *http.Request,
 		dst = addVersionSuffix(dst, d.user.Fs)
 	}
 
+	// Permission for overwriting the file
+	if override && !d.user.Perm.Modify {
+		return http.StatusForbidden, nil
+	}
+
 	err = d.RunHook(func() error {
 		switch action {
 		// TODO: use enum