Make events show again.

1 files changed, 7 insertions, 8 deletions

diff --git a/apps/calendar/ajax/events.php b/apps/calendar/ajax/events.php
index b0c5587633f..3f29f1e5eff 100644
--- a/apps/calendar/ajax/events.php
+++ b/apps/calendar/ajax/events.php
@@ -13,16 +13,15 @@ OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('calendar');
 
 // Look for the calendar id
-$calendar_id = OC_Calendar_App::getCalendar($_GET['calendar_id'], false, false);
-if($calendar_id !== false){
-	if(! is_numeric($calendar_id['userid']) && $calendar_id['userid'] != OCP\User::getUser()){
-		OCP\JSON::error();
-		exit;
+$calendar_id = null;
+if (strval(intval($_GET['calendar_id'])) == strval($_GET['calendar_id'])) { // integer for sure.
+	$id = intval($_GET['calendar_id']);
+	$calendarrow = OC_Calendar_App::getCalendar($id, true, false); // Let's at least security check otherwise we might as well use OC_Calendar_Calendar::find()
+	if($calendarrow !== false && is_int($calendar_id['userid']) && $id == $calendar_id['userid']) {
+		$calendar_id = $id;
 	}
 }
-else {
-	$calendar_id = $_GET['calendar_id'];
-}
+$calendar_id = (is_null($calendar_id)?strip_tags($_GET['calendar_id']):$calendar_id);
 
 $start = (version_compare(PHP_VERSION, '5.3.0', '>='))?DateTime::createFromFormat('U', $_GET['start']):new DateTime('@' . $_GET['start']);
 $end = (version_compare(PHP_VERSION, '5.3.0', '>='))?DateTime::createFromFormat('U', $_GET['end']):new DateTime('@' . $_GET['end']);