fix: check modify permission on file overwrite

http/resource.go

@@ -118,6 +118,11 @@ func resourcePostHandler(fileCache FileCache) handleFunc {
 				return http.StatusConflict, nil
 			}
 
+			// Permission for overwriting the file
+			if !d.user.Perm.Modify {
+				return http.StatusForbidden, nil
+			}
+
 			err = delThumbs(r.Context(), fileCache, file)
 			if err != nil {
 				return errToStatus(err), err
@@ -204,6 +209,11 @@ var resourcePatchHandler = withUser(func(w http.ResponseWriter, r *http.Request,
 		dst = addVersionSuffix(dst, d.user.Fs)
 	}
 
+	// Permission for overwriting the file
+	if override && !d.user.Perm.Modify {
+		return http.StatusForbidden, nil
+	}
+
 	err = d.RunHook(func() error {
 		switch action {
 		// TODO: use enum