diff --git a/apps/dav/lib/Connector/Sabre/DavAclPlugin.php b/apps/dav/lib/Connector/Sabre/DavAclPlugin.php
index f574cec00c6b6..236ca3da7fac7 100644
--- a/apps/dav/lib/Connector/Sabre/DavAclPlugin.php
+++ b/apps/dav/lib/Connector/Sabre/DavAclPlugin.php
@@ -8,6 +8,7 @@
  * @author Robin Appelman <robin@icewind.nl>
  * @author Roeland Jago Douma <roeland@famdouma.nl>
  * @author Thomas Müller <thomas.mueller@tmit.eu>
+ * @author Richard Steinmetz <richard@steinmetz.cloud>
  *
  * @license AGPL-3.0
  *
@@ -105,11 +106,15 @@ public function beforeMethod(RequestInterface $request, ResponseInterface $respo
 
 		parent::beforeMethod($request, $response);
 
-		$createAddressbookOrCalendarRequest = ($request->getMethod() === 'MKCALENDAR' || $request->getMethod() === 'MKCOL')
-			&& (str_starts_with($path, 'addressbooks/') || str_starts_with($path, 'calendars/'));
+		if (!str_starts_with($path, 'addressbooks/') && !str_starts_with($path, 'calendars/')) {
+			return;
+		}
 
-		if ($createAddressbookOrCalendarRequest) {
-			[$parentName] = \Sabre\Uri\split($path);
+		[$parentName] = \Sabre\Uri\split($path);
+		if ($request->getMethod() === 'REPORT') {
+			// is calendars/users/bob or addressbooks/users/bob readable?
+			$this->checkPrivileges($parentName, '{DAV:}read');
+		} elseif ($request->getMethod() === 'MKCALENDAR' || $request->getMethod() === 'MKCOL') {
 			// is calendars/users/bob or addressbooks/users/bob writeable?
 			$this->checkPrivileges($parentName, '{DAV:}write');
 		}