diff --git a/calendar/inc/class.calendar_groupdav.inc.php b/calendar/inc/class.calendar_groupdav.inc.php index 1bcc880c03..e70b8e8d00 100644 --- a/calendar/inc/class.calendar_groupdav.inc.php +++ b/calendar/inc/class.calendar_groupdav.inc.php @@ -734,7 +734,7 @@ class calendar_groupdav extends groupdav_handler $this->groupdav->log("Both If-Match and If-Schedule-Tag-Match header given: If-Schedule-Tag-Match takes precedence for participants!"); } } - //client specified a CalDAV Scheduling schedule-tag precondition + // check CalDAV Scheduling schedule-tag precondition if ($this->use_schedule_tag && isset($_SERVER['HTTP_IF_SCHEDULE_TAG_MATCH'])) { $schedule_tag_match = $_SERVER['HTTP_IF_SCHEDULE_TAG_MATCH']; @@ -746,11 +746,17 @@ class calendar_groupdav extends groupdav_handler if ($this->debug) error_log(__METHOD__."(,,$user) schedule_tag missmatch: given '$schedule_tag_match' != '$schedule_tag'"); return '412 Precondition Failed'; } + } + // if no edit-rights (aka no organizer), update only attendee stuff: status and alarms + if (!$this->check_access(EGW_ACL_EDIT, $oldEvent)) + { + if (isset($oldEvent['participants'][$user])) + { + if ($this->debug) error_log(__METHOD__."(,,$user) user $user is NOT an attendee!"); + return '403 Forbidden'; + } // update only participant status and alarms of current user - // fix for iCal on OS X, which uses only a schedule-tag (no etag), if event has no participants (only calendar owner) - // --> do regular calendar update as with matching etag (otherwise no updates possible) - if (!(count($oldEvent['participants']) == 1 && isset($oldEvent['participants'][$user])) && - ($events = $handler->icaltoegw($vCalendar))) + if (($events = $handler->icaltoegw($vCalendar))) { $modified = 0; foreach($events as $n => $event)