affects OMERO versions 5.2.7 and earlier
A user could create an OriginalFile and adjust its path such that it now points to another user's file on the underlying filesystem, then manipulate the user's data.
The uniqueness constraint on (path, name, repo) does not prevent this because of the trick of using "/./" (maybe for some repos "/../") or whatever in the path. The fix is to disallow new path/name with ".." and "." components when editing existing OriginalFile instances.
OMERO.server up to and including 5.2.7.
All OMERO.servers should be upgraded to at least 5.2.8.