1 files changed, 7 insertions, 4 deletions
diff --git a/apps/calendar/ajax/event/move.php b/apps/calendar/ajax/event/move.php
index 8150fdbaa32..faf3a9c8f1c 100644
--- a/apps/calendar/ajax/event/move.php
+++ b/apps/calendar/ajax/event/move.php
@@ -9,15 +9,18 @@ require_once('../../../../lib/base.php');
 OC_JSON::checkLoggedIn();
 
 $id = $_POST['id'];
-
-$vcalendar = OC_Calendar_App::getVCalendar($id);
+$access = OC_Calendar_App::getaccess($id, OC_Calendar_App::EVENT);
+if($access != 'owner' && $access != 'rw'){
+	OC_JSON::error(array('message'=>'permission denied'));
+	exit;
+}
+$vcalendar = OC_Calendar_App::getVCalendar($id, false, false);
 $vevent = $vcalendar->VEVENT;
 
 $allday = $_POST['allDay'];
 $delta = new DateInterval('P0D');
 $delta->d = $_POST['dayDelta'];
 $delta->i = $_POST['minuteDelta'];
-
 OC_Calendar_App::isNotModified($vevent, $_POST['lastmodified']);
 
 $dtstart = $vevent->DTSTART;
@@ -40,4 +43,4 @@ $vevent->setDateTime('DTSTAMP', 'now', Sabre_VObject_Element_DateTime::UTC);
 
 $result = OC_Calendar_Object::edit($id, $vcalendar->serialize());
 $lastmodified = $vevent->__get('LAST-MODIFIED')->getDateTime();
-OC_JSON::success(array('lastmodified'=>(int)$lastmodified->format('U')));
+OC_JSON::success(array('lastmodified'=>(int)$lastmodified->format('U')));
+\ No newline at end of file