From 73038156cc9f8feb4838d8a7d9f610140c496cb9 Mon Sep 17 00:00:00 2001
From: Georg Ehrke <dev@georgswebsite.de>
Date: Sun, 12 Feb 2012 10:40:57 +0100
Subject: [PATCH] check userrights in events.php

---
 apps/calendar/ajax/events.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/apps/calendar/ajax/events.php b/apps/calendar/ajax/events.php
index b686aff1c7..96ee6775f7 100755
--- a/apps/calendar/ajax/events.php
+++ b/apps/calendar/ajax/events.php
@@ -21,6 +21,11 @@ if($_GET['calendar_id'] == 'shared'){
 		$events = array_merge($events, $calendarevents);
 	}
 }else{
+	$calendar = OC_Calendar_Calendar::find($_GET['calendar_id']);
+	if($calendar['userid'] != OC_User::getUser()){
+		OC_JSON::error();
+		exit;
+	}
 	$events = OC_Calendar_Object::allInPeriod($_GET['calendar_id'], $start, $end);
 }
 $user_timezone = OC_Preferences::getValue(OC_USER::getUser(), 'calendar', 'timezone', date_default_timezone_get());