Versions of files get leaked to guests

[KuenzelIT]

Hi guys,

we just noticed a security vulnerability in the guests app. If the app files_versions is not on the app whitelist for guests, they still see the versions tab in the file details and can download all versions of a file.

This was already mentioned in #338, but I think it should be more labeled as a vulnerability / data leakage than information being shown in the sidepanel.

I assume this is comes from how urls are whitelisted and assigned to apps. As far as I see the versions get downloaded using DAV, which is always being whitelisted in the code.

I hope this can be fixed soon, because the app is really nice and useful, but we cannot have guests download old versions of our files.

Thanks!