POST /api/files/restore/:versionId always returns 400 due to wrong route param in verifyFileAccess middleware

[riya-dumbare]

Problem

The version restore endpoint is completely broken. Every restore attempt fails with 400 File ID is required before reaching the controller, making the Version History feature entirely unusable.

Root Cause

verifyFileAccess middleware extracts the file ID from req.params.id or req.params.fileId but the restore route only exposes :versionId in params. So actualFileId is always undefined and the middleware short-circuits with a 400 before restoreVersion is ever called.

Steps to Reproduce

1. Open any file in a workspace
2. Save a version via the version history panel
3. Click Restore on any saved version
4. Observe: request fails with 400 File ID is required

Expected Behavior

The file content is restored to the selected version.

Affected Files

• backend/routes/fileRoutes.js
• backend/middleware/filePermission.js
• backend/controllers/versionController.js

Suggested Fix

Pass :fileId as a separate route param so verifyFileAccess can resolve the workspace membership check and keep :versionId alongside it.

router.post('/restore/:fileId/:versionId', verifyFileAccess, checkRole('editor'), restoreVersion);

Alternatively, accept fileId in the request body and read it via req.body inside verifyFileAccess.

Severity

High — the Version History feature is entirely unusable as shipped.

[riya-dumbare]

Hii @alokkksharmaa , I would like to work on this issue. Please assign this issue to me under GSSoC'26.