check userrights in events.php

author: Georg Ehrke <dev@georgswebsite.de> 2012-02-12 10:40:57 +0100
committer: Georg Ehrke <dev@georgswebsite.de> 2012-02-12 10:40:57 +0100
commit: 73038156cc9f8feb4838d8a7d9f610140c496cb9 (patch)
tree: 5ad036c9494fc494b4bca4ffb0f786f5c071d3e4 /apps/calendar/ajax
parent: 1bd3b65069abfc5e81f67d19bc38a51b1ac1505a (diff)
download: nextcloud-server-73038156cc9f8feb4838d8a7d9f610140c496cb9.tar.gz
nextcloud-server-73038156cc9f8feb4838d8a7d9f610140c496cb9.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/apps/calendar/ajax/events.php b/apps/calendar/ajax/events.php
index b686aff1c72..96ee6775f7f 100755
--- a/apps/calendar/ajax/events.php
+++ b/apps/calendar/ajax/events.php
@@ -21,6 +21,11 @@ if($_GET['calendar_id'] == 'shared'){
 		$events = array_merge($events, $calendarevents);
 	}
 }else{
+	$calendar = OC_Calendar_Calendar::find($_GET['calendar_id']);
+	if($calendar['userid'] != OC_User::getUser()){
+		OC_JSON::error();
+		exit;
+	}
 	$events = OC_Calendar_Object::allInPeriod($_GET['calendar_id'], $start, $end);
 }
 $user_timezone = OC_Preferences::getValue(OC_USER::getUser(), 'calendar', 'timezone', date_default_timezone_get());
author	Georg Ehrke <dev@georgswebsite.de>	2012-02-12 10:40:57 +0100
committer	Georg Ehrke <dev@georgswebsite.de>	2012-02-12 10:40:57 +0100
commit	73038156cc9f8feb4838d8a7d9f610140c496cb9 (patch)
tree	5ad036c9494fc494b4bca4ffb0f786f5c071d3e4 /apps/calendar/ajax
parent	1bd3b65069abfc5e81f67d19bc38a51b1ac1505a (diff)
download	nextcloud-server-73038156cc9f8feb4838d8a7d9f610140c496cb9.tar.gz nextcloud-server-73038156cc9f8feb4838d8a7d9f610140c496cb9.zip