From a04689b7840f336fed92ec648754cca02dcd90f0 Mon Sep 17 00:00:00 2001
From: Mario Vavti <mario@mariovavti.com>
Date: Tue, 30 Apr 2019 12:08:19 +0200
Subject: do not allow editing events that do not belong to us

---
 Zotlabs/Module/Channel_calendar.php | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'Zotlabs/Module')

diff --git a/Zotlabs/Module/Channel_calendar.php b/Zotlabs/Module/Channel_calendar.php
index 6741d611c..7fa03fb34 100644
--- a/Zotlabs/Module/Channel_calendar.php
+++ b/Zotlabs/Module/Channel_calendar.php
@@ -147,6 +147,11 @@ class Channel_calendar extends \Zotlabs\Web\Controller {
 				}
 				return;
 			}
+
+			if($x[0]['event_xchan'] !== $channel['xchan_hash']) {
+				notice( t('Not allowed.') . EOL);
+				return;
+			}
 	
 			$acl->set($x[0]);
 	
-- 
cgit v1.2.3