From 9c8eb104b6595b47bc0304f11645fca2b7290f0d Mon Sep 17 00:00:00 2001
From: Georg Ehrke <dev@georgswebsite.de>
Date: Mon, 14 May 2012 15:38:50 +0200
Subject: [PATCH] check user permissions in calendar's changepermission.php

---
 apps/calendar/ajax/share/changepermission.php | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/apps/calendar/ajax/share/changepermission.php b/apps/calendar/ajax/share/changepermission.php
index e4a4f186ab0..2737420c94e 100755
--- a/apps/calendar/ajax/share/changepermission.php
+++ b/apps/calendar/ajax/share/changepermission.php
@@ -17,6 +17,14 @@ switch($idtype){
 		OCP\JSON::error(array('message'=>'unexspected parameter'));
 		exit;
 }
+if($idtype == 'calendar' && !OC_Calendar_App::getCalendar($id)){
+	OCP\JSON::error(array('message'=>'permission denied'));
+	exit;
+}
+if($idtype == 'event' && !OC_Calendar_App::getEventObject($id)){
+	OCP\JSON::error(array('message'=>'permission denied'));
+	exit;
+}
 $sharewith = $_GET['sharewith'];
 $sharetype = strip_tags($_GET['sharetype']);
 switch($sharetype){
-- 
2.39.5