Merge pull request #5415 from nextcloud/backport/5412/stable33

[stable33] fix: Properly check for lock wopi operations

Author: elzody

lib/Controller/WopiController.php

@@ -668,6 +668,10 @@ public function postFile(string $fileId, string $access_token): JSONResponse {
 			return new JSONResponse([], Http::STATUS_FORBIDDEN);
 		}
 
+		if (!$wopi->getCanwrite()) {
+			return new JSONResponse([], Http::STATUS_FORBIDDEN);
+		}
+
 		switch ($wopiOverride) {
 			case 'LOCK':
 				return $this->lock($wopi, $wopiLock);
@@ -686,10 +690,6 @@ public function postFile(string $fileId, string $access_token): JSONResponse {
 
 		$isRenameFile = ($this->request->getHeader('X-WOPI-Override') === 'RENAME_FILE');
 
-		if (!$wopi->getCanwrite()) {
-			return new JSONResponse([], Http::STATUS_FORBIDDEN);
-		}
-
 		// Unless the editor is empty (public link) we modify the files as the current editor
 		$editor = $wopi->getEditorUid();
 		$isPublic = $editor === null && !$wopi->isRemoteToken();