better permission check in resize.php

author: Georg Ehrke <ownclouddev@georgswebsite.de> 2012-02-22 10:42:33 +0100
committer: Georg Ehrke <ownclouddev@georgswebsite.de> 2012-02-22 10:42:33 +0100
commit: cff0ac2bf99c9655f0ff792ec16bc0c624b07194 (patch)
tree: 8b4a5f9966d8fa0b4dc81b2880aadfa166925b02 /apps/calendar/ajax
parent: 0ae088a50a42fa73b2afb87d0fe80dea2129c430 (diff)
download: nextcloud-server-cff0ac2bf99c9655f0ff792ec16bc0c624b07194.tar.gz
nextcloud-server-cff0ac2bf99c9655f0ff792ec16bc0c624b07194.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/apps/calendar/ajax/event/resize.php b/apps/calendar/ajax/event/resize.php
index aa2d420e77d..1136273b706 100644
--- a/apps/calendar/ajax/event/resize.php
+++ b/apps/calendar/ajax/event/resize.php
@@ -10,6 +10,11 @@ OC_JSON::checkLoggedIn();
 
 $id = $_POST['id'];
 
+if(!OC_Calendar_Share::is_editing_allowed(OC_User::getUser(), $id, OC_Calendar_Share::EVENT) && OC_Calendar_Object::getowner($id) != OC_User::getUser()){
+	OC_JSON::error(array('message'=>'permissiondenied'));
+	exit;
+}
+
 $vcalendar = OC_Calendar_App::getVCalendar($id);
 $vevent = $vcalendar->VEVENT;
author	Georg Ehrke <ownclouddev@georgswebsite.de>	2012-02-22 10:42:33 +0100
committer	Georg Ehrke <ownclouddev@georgswebsite.de>	2012-02-22 10:42:33 +0100
commit	cff0ac2bf99c9655f0ff792ec16bc0c624b07194 (patch)
tree	8b4a5f9966d8fa0b4dc81b2880aadfa166925b02 /apps/calendar/ajax
parent	0ae088a50a42fa73b2afb87d0fe80dea2129c430 (diff)
download	nextcloud-server-cff0ac2bf99c9655f0ff792ec16bc0c624b07194.tar.gz nextcloud-server-cff0ac2bf99c9655f0ff792ec16bc0c624b07194.zip