2.2.x releases don't actually have admin permission security patch

[fdintino]

The CHANGELOG states that the 2.2.5 release includes a backport of the patch from #1352, but a comparison of the 2.2.4 and 2.2.5 releases shows that it's missing: 2.2.4...2.2.5. And you can see that filer.admin.clipboardadmin.ajax_upload doesn't have the permission check. Compare

django-filer/filer/admin/clipboardadmin.py

Lines 71 to 80 in b409ab1

	def ajax_upload(request, folder_id=None):
	"""
	Receives an upload from the uploader. Receives only one file at a time.
	"""
	if not request.user.has_perm("filer.add_file"):
	messages.error(request, NO_PERMISSIONS)
	return JsonResponse({'error': NO_PERMISSIONS})
	if folder_id:

with https://github.com/django-cms/django-filer/blob/2.2.5/filer/admin/clipboardadmin.py#L66-L71