forbid changing the displayname or color of the calendar/deck when th…

…e user doesn't has the "manage" permissions Signed-off-by: Bjoern Schiessle <[email protected]>
nextcloud · Apr 27, 2023 · 6684023 · 6684023
1 parent 43bec15
commit 6684023
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/lib/DAV/Calendar.php b/lib/DAV/Calendar.php
@@ -188,12 +188,18 @@ public function propPatch(PropPatch $propPatch) {
 			foreach ($properties as $key => $value) {
 				switch ($key) {
 					case '{DAV:}displayname':
+						if (!$this->backend->checkBoardPermission($this->board->getId(), Acl::PERMISSION_MANAGE)) {
+							throw new Forbidden('no permission to change the displayname');
+						}
 						if (mb_strpos($value, 'Deck: ') === 0) {
 							$value = mb_substr($value, strlen('Deck: '));
 						}
 						$this->board->setTitle($value);
 						break;
 					case '{http://apple.com/ns/ical/}calendar-color':
+						if (!$this->backend->checkBoardPermission($this->board->getId(), Acl::PERMISSION_MANAGE)) {
+							throw new Forbidden('no permission to change the calendar color');
+						}
 						$color = substr($value, 1, 6);
 						if (!preg_match('/[a-f0-9]{6}/i', $color)) {
 							throw new InvalidDataException('No valid color provided');